We release patches for security vulnerabilities in the following versions:

We take the security of APG Patterns Examples seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Open a public GitHub issue for security vulnerabilities
• Disclose the vulnerability publicly before it has been addressed

1. Email the maintainer at the email associated with the GitHub account (@masuP9)
2. Include the following information:
   • Description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: We will acknowledge your email within 48 hours
• Assessment: We will assess the vulnerability and determine its impact
• Updates: We will keep you informed of our progress
• Resolution: We will release a fix as soon as possible
• Credit: We will credit you in the release notes (unless you prefer to remain anonymous)

This project provides client-side UI components. When using these components:

1. XSS Prevention:

   • Always sanitize user input before rendering
   • Be cautious when using dangerouslySetInnerHTML (React) or v-html (Vue)
   • The components themselves do not directly handle user input sanitization

2. Content Security Policy (CSP):

   • Components use inline styles via Tailwind CSS
   • Ensure your CSP allows necessary styles
   • No inline scripts are used

3. Dependency Security:

   • We regularly update dependencies
   • Run npm audit to check for known vulnerabilities
   • Review dependency updates carefully

4. ARIA Attributes:

   • ARIA attributes are set based on component state
   • Do not allow untrusted input to control ARIA attributes
   • Invalid ARIA can affect accessibility but not security

When integrating these components into your application:

• Validate Props: Validate all props passed to components
• Sanitize Content: Sanitize any user-generated content
• Authentication: Implement proper authentication for sensitive operations
• Authorization: Check user permissions before allowing actions
• HTTPS: Always serve your application over HTTPS

For contributors:

1. Dependencies:

   • Review package.json changes carefully
   • Run npm audit before submitting PRs
   • Keep dependencies up to date

2. Code Review:

   • All PRs require review before merging
   • Security-sensitive changes require additional scrutiny

3. CI/CD:

   • All tests must pass before merging
   • Linting and formatting checks are enforced

• This project focuses on accessibility compliance, not security hardening
• Components are designed for trusted content environments
• Server-side validation is always required for user input

For general security questions or concerns, please open a Discussion or contact the maintainers.

Thank you for helping keep APG Patterns Examples and its users safe!