| Version | Supported |
|---|---|
| 1.x.x | β |
We take the security of MoroJS seriously. If you discover a security vulnerability, please follow these steps:
DO NOT open a public issue for security vulnerabilities.
Instead, please report security issues by:
- Email: Send details to security@morojs.com
- GitHub Security Advisory: Use the "Security" tab β "Report a vulnerability"
Please include as much of the following information as possible:
- Type of issue (e.g. buffer overflow, SQL injection, XSS, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: Within 48 hours
- Assessment: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-3 days
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Next release cycle
We appreciate responsible disclosure and will acknowledge security researchers who report vulnerabilities to us in our security advisories (unless you prefer to remain anonymous).
When using MoroJS in production:
- Keep dependencies updated
- Use HTTPS in production
- Implement proper input validation
- Follow the principle of least privilege
- Regular security audits with
npm audit - Monitor for security advisories
MoroJS includes several built-in security features:
- Input validation with Zod schemas
- CSRF protection middleware
- Rate limiting capabilities
- Content Security Policy (CSP) support
- Secure headers middleware
- Circuit breaker patterns
For more details, see our Security Documentation.