CodeDeck opens local folders, launches external applications and runs user-configured commands. Security reports involving those areas are taken seriously.
| Version | Supported |
|---|---|
| 0.2.x | Yes |
| 0.1.x | No |
Only the latest minor release receives security fixes during early development.
Do not open a public issue for a security vulnerability.
Use Security → Report a vulnerability on the CodeDeck repository to submit a private report. When private vulnerability reporting is unavailable, contact the maintainer through their GitHub profile and ask for a private reporting channel. Do not include exploit details in a public message.
A useful report includes:
- the affected CodeDeck version
- operating system and architecture
- a clear description of the issue
- steps to reproduce it
- expected and actual behavior
- possible impact
- logs or screenshots with secrets removed
- a proposed fix, when available
Examples include:
- command injection through project paths or templates
- commands running without explicit user action
- unsafe handling of imported configuration
- unintended modification or deletion of project files
- exposure of
.envfiles, tokens or other secrets - path traversal while creating or copying templates
- unsafe process termination
- release artifacts or update metadata being replaced or tampered with
Please allow time for the issue to be reproduced and fixed before publishing details. Credit can be included in the release notes unless anonymity is requested.