| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- Do NOT open a public issue for security vulnerabilities
- Email the maintainers directly or use GitHub's private vulnerability reporting feature
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: We will assess the vulnerability and determine its severity
- Fix Timeline: Critical issues will be addressed as soon as possible
- Disclosure: We will coordinate disclosure timing with you
This project implements several security practices:
- Automated scanning: pip-audit checks for known vulnerabilities
- Dependabot: Automatic dependency updates via GitHub Dependabot
- Lock file: Dependencies are pinned via
uv.lock
- Static analysis: Bandit security linter in CI
- Type checking: Strict type checking reduces runtime errors
- Input validation: Pydantic models validate all external data
- GitHub Actions workflows follow security best practices
- No secrets in code or logs
- OIDC authentication for PyPI publishing
When using mela-parser:
- Keep updated: Use the latest version to get security fixes
- API keys: Store OpenAI API keys securely (environment variables, not in code)
- Input validation: Validate EPUB files before processing if from untrusted sources
Security updates will be released as patch versions and announced via:
- GitHub Releases
- GitHub Security Advisories (for critical issues)