We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 1.2.x | ✅ |
| 1.1.x | ✅ |
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of @calphonse/logger seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to the repository owner at:
- Email: Use the contact information from the GitHub profile
You should receive a response within 48 hours. If for some reason you do not, please follow up via GitHub to ensure we received your original message.
Please include the following information in your report:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
After submitting a report, you can expect:
- Acknowledgment: Within 48 hours, we'll acknowledge receipt of your vulnerability report
- Initial Assessment: Within 5 business days, we'll provide an initial assessment of the report
- Status Updates: We'll keep you informed about the progress of fixing the issue
- Resolution: Once the issue is resolved, we'll notify you and publicly disclose the vulnerability (with credit to you, if desired)
When using @calphonse/logger in your applications:
Never log sensitive information such as:
- Passwords or authentication tokens
- API keys or secret keys
- Personal Identifiable Information (PII)
- Credit card numbers or financial data
- Session tokens or JWTs
// BAD - Logging sensitive data
logger.info('User logged in', { password: user.password, token: jwt });
// GOOD - Log only safe metadata
logger.info('User logged in', { userId: user.id, timestamp: Date.now() });For production environments, use JSON logging to prevent console injection attacks:
const logger = new Logger({
json: true, // Enable JSON output in production
level: LogLevel.INFO, // Avoid verbose logging
});The logger automatically sanitizes inputs, but be cautious with user-provided data:
// The logger handles this safely, but be aware
logger.info('User input', { userInput: req.body.message });When using AI-powered features:
- AI insights are cached locally by default
- Use local AI (Ollama) for sensitive environments
- Review AI-generated content before acting on it
- Set appropriate caching policies for your security requirements
- Keep @calphonse/logger updated to the latest version
- Regularly audit your dependencies with
pnpm audit - Enable Dependabot for automatic security updates
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find any similar problems
- Prepare fixes for all supported versions
- Release new security patch versions as soon as possible
If you have suggestions on how this process could be improved, please submit a pull request or open an issue to discuss.
Last Updated: October 25, 2025