We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 3.x.x | ✅ |
| < 3.0 | ❌ |
We take the security of faf-cli seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before we have had a chance to address it
- Exploit the vulnerability beyond what is necessary to demonstrate it
Report security issues via email to: team@faf.one
Include the following information:
- Type of issue (e.g., command injection, path traversal, arbitrary file access)
- Full paths of affected command(s)
- Version of faf-cli (
faf --version) - Operating system and Node.js version
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment
- Acknowledgment within 24 hours - Confirmation of receipt
- Initial assessment within 72 hours - Our evaluation
- Regular updates - Progress reports as we develop fixes
- Coordinated disclosure - Work together on disclosure timing
- Credit - Acknowledgment in security advisory (unless you prefer anonymity)
- Respond promptly to your report
- Keep you informed of progress
- Treat your report confidentially
- Credit you for responsible disclosure (if desired)
- Issue a fix as quickly as possible
When using faf-cli:
- Install only from official sources:
npm install -g faf-cli # Official npm registry - Verify package integrity when possible
- Keep faf-cli updated to latest version
- Review file paths when using file operations
- Be cautious with untrusted .faf files
- Use appropriate file permissions for sensitive projects
- Follow secure coding practices
- Never commit sensitive data (API keys, tokens, credentials)
- Validate all user inputs
- Sanitize file paths
- Use environment variables for configuration
- Run security audits before submitting PRs:
npm audit npm run build npm test
faf-cli requires filesystem access for its core functionality:
What faf-cli accesses:
- Project root directory (for .faf files)
- Files specified in commands
- User's home directory for global config (optional)
Security measures:
- Path validation to prevent directory traversal
- Read-only operations by default (except explicit write commands)
- No arbitrary code execution
- User consent required for modifications
faf-cli does NOT:
- Execute shell commands from .faf files
- Run arbitrary code from user input
- Eval or interpret code from file contents
All operations are pure data processing.
faf-cli uses safe YAML parsing:
- Disables dangerous YAML features
- No custom tag evaluation
- No arbitrary object instantiation
- Strict schema validation
// Safe YAML parsing approach
const yaml = YAML.parse(content, {
schema: 'core', // Safe subset only
strict: true
});All user inputs are validated:
// Path validation example
function validatePath(inputPath: string): string {
const normalized = path.normalize(inputPath);
const resolved = path.resolve(normalized);
// Prevent directory traversal
if (!resolved.startsWith(process.cwd())) {
throw new SecurityError('Invalid path');
}
return resolved;
}Our typical timeline:
- Day 0: Report received
- Day 1: Acknowledgment sent
- Day 3: Initial assessment completed
- Day 7-30: Fix developed and tested
- Day 30: Coordinated disclosure
- Day 90: Public disclosure if fix is delayed
Critical vulnerabilities receive immediate attention.
- Security updates released as soon as fixes are available
- Critical vulnerabilities marked in release notes
- All security updates documented in CHANGELOG.md
- Users notified via npm advisory system
faf-cli maintains minimal dependencies:
Current dependencies (see package.json for versions):
- commander (CLI framework)
- chalk (terminal colors)
- yaml (safe YAML parsing)
- inquirer (interactive prompts)
- ora (spinners)
Security practices:
- Regular dependency audits (
npm audit) - Automated security updates via Dependabot
- Review all dependency updates for security implications
- No deprecated or unmaintained dependencies
// Validated in all file operations
const safePath = validateProjectPath(userInput);Most commands are read-only:
faf score,faf status,faf read,faf list
Write operations require explicit commands:
faf init,faf write,faf sync
faf-cli operates entirely locally:
- No network requests
- No external data transmission
- No phone-home functionality
- All operations on local filesystem
Global config (if used):
- Located in user's home directory
- User-specific permissions
- No sensitive data stored
- Optional feature
| Vulnerability Type | Status | Notes |
|---|---|---|
| Command Injection | ✓ Not vulnerable | No shell command execution |
| Path Traversal | ✓ Protected | Path validation on all operations |
| Arbitrary File Access | ✓ Protected | Scoped to project directory |
| Code Injection | ✓ Not vulnerable | No code evaluation |
| YAML Bombs | ✓ Protected | Safe parsing, size limits |
| Dependency Vulnerabilities | ✓ Monitored | Automated scanning |
We appreciate security researchers who:
- Report issues privately first
- Allow time for fixes before disclosure
- Provide detailed reproduction steps
- Suggest potential fixes
- Help verify patches
No vulnerabilities reported yet
If you report a vulnerability, we will list you here (with your permission).
- Security issues: team@faf.one
- General questions: GitHub Discussions
- Project maintainer: Wolfe James (ORCID: 0009-0007-0801-3841)
faf-cli undergoes regular security reviews:
- v3.1.1: No known vulnerabilities
- v3.0.0: Major security review completed
- Continuous: Automated npm audit checks
Last updated: November 2025
Thank you for helping keep faf-cli and its users safe.
6,000+ downloads. Championship security standards.