We release security updates for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
This project implements multiple layers of security:
All GitHub Actions in our CI/CD workflows are pinned to specific commit SHAs rather than floating version tags. This prevents supply chain attacks where a compromised action tag could execute malicious code in our build pipeline.
| Workflow | Actions Pinned |
|---|---|
build-release.yml |
10 actions pinned |
github-pages.yml |
4 actions pinned |
biome-check.yaml |
4 actions pinned |
Verification: Run bun verify-actions.ts to verify all actions are correctly pinned.
We use GitHub's OIDC (OpenID Connect) integration with NPM for trusted publishing:
- No long-lived NPM tokens stored in GitHub secrets
- Short-lived OIDC tokens used for authentication
- Provenance attestations generated for each publish
This means:
- Package publishes can only happen from our specific GitHub workflow
- NPM tokens cannot be leaked or reused
- Every publish has cryptographic proof of its origin
- Raw HTML is sanitized using the ammonia library
- Dangerous links are stripped automatically
- No "unsafe" comrak options are exposed
The Markdown renderer runs in a WebAssembly sandbox, providing:
- Memory isolation from the host JavaScript
- No direct filesystem access
- Controlled execution environment
We use Bun's minimumReleaseAge feature in bunfig.toml to mitigate supply chain attacks:
[install]
# Only install package versions published at least 7 days ago
minimumReleaseAge = 604800
# Packages that bypass the age requirement
minimumReleaseAgeExcludes = ["@types/bun", "typescript"]Benefits:
- Prevents installation of newly-published malicious packages (typosquatting attacks)
- Allows time for security researchers and the community to identify compromised packages
- Excludes select packages that need rapid updates
package-lock.json/bun.lockbcommitted for reproducible installs- Biome.js used for linting and formatting (security-focused rules)
- Regular dependency audits via
npm audit/bun audit
- All code formatted with Biome.js
- TypeScript strict mode enabled
- No
anytypes in public APIs
Caution
Do not open a public GitHub issue for security vulnerabilities.
Instead, please report privately:
| Method | Contact |
|---|---|
| me+security@inve.rs | |
| Response Time | Within 48 hours |
| Bounty | Considered on a case-by-case basis |
Please include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
When using this library in your project:
- Keep the library updated to the latest version
- Review the Sanitization behavior for your use case
- Validate that
vite-plugin-wasmis configured correctly - Report any unexpected HTML in rendered output
By default, solid-markdown-wasm sanitizes the following:
| Element | Behavior |
|---|---|
| Raw HTML tags | Stripped (replaced with escaped text) |
javascript: URLs |
Removed from links |
data: URLs |
Removed from links (potential XSS) |
| Unknown protocols | Stripped from href/src attributes |
<script> tags |
Never rendered |
Event handlers (onclick, etc.) |
Never rendered |
To customize sanitization (not recommended), you would need to fork the underlying comrak library.
| Date | Action | Details |
|---|---|---|
| 2026-04-01 | Implemented SHA pinning | All 14 GitHub Actions pinned to immutable SHAs |
| 2026-04-01 | Enabled NPM Trusted Publishing | Removed NPM_TOKEN, using OIDC with provenance |
| 2026-04-01 | Added Bun release age protection | bunfig.toml configured with 7-day minimum release age |
We thank the following for responsible disclosure:
None yet - be the first!