Security updates are provided for the latest released version only.
Do not report security vulnerabilities through public GitHub issues.
Report via:
- Email: [email protected]
- GitHub's private vulnerability reporting
Include: issue type, affected source files, reproduction steps, and potential impact.
We acknowledge reports within 48 hours and provide detailed response within 7 days.
- npm audit and OSV Scanner for dependency vulnerabilities
- CodeQL for JS/TS and C++ semantic analysis
- TruffleHog for secrets detection
- ESLint Security Plugin for static analysis
Scans run on every push, PR, and weekly.
- Uses official SQLite amalgamation source with recommended security flags
- C++ code analyzed with clang-tidy and ASAN
- Memory safety validated through comprehensive testing
// Read-only mode
const db = new DatabaseSync("database.db", { readonly: true });
// Extension loading (disabled by default)
db.allowExtension();
db.enableLoadExtension(true);
db.loadExtension("path/to/extension");- Use parameterized queries to prevent SQL injection
- Validate user input before use in queries
- Run with minimal permissions
- Keep dependencies updated
Upon receiving a report, we confirm the issue, audit for similar problems, prepare fixes, and coordinate disclosure with the reporter.