Security fixes are only guaranteed for the latest tagged release.
Current supported line:
v0.5.0
Older tags may remain visible for historical reasons, but they should not be treated as supported production releases.
If you believe you have found a security issue in BinlogViz:
- Do not open a public GitHub issue with full exploit details.
- Contact the maintainer privately first.
- Include:
- affected version or commit
- operating system and architecture
- reproduction steps
- impact assessment
- any suggested mitigation, if available
If no dedicated security contact channel is published yet, use the repository owner contact path and clearly mark the message as a security report.
BinlogViz is a local CLI tool for offline binlog analysis. The main security-sensitive areas are:
- parsing untrusted binlog files
- temporary local DuckDB storage during analysis
- optional SQL context in rendered output
- installation and release artifact verification
Users should:
- verify release checksums before running downloaded binaries
- treat generated reports and JSON output as potentially sensitive if SQL context is enabled
- handle archived stderr logs carefully because they may still contain runtime context such as resolved file lists, progress history, and error details