We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We recommend always using the latest version of @relatiohq/opencloud to ensure you have the latest security patches and improvements.
We take the security of @relatiohq/opencloud seriously. If you discover a security vulnerability, please follow these steps:
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities through GitHub's Security tab:
Alternatively, you can use the "Security" tab on the repository and click "Report a vulnerability".
After submitting a report, you can expect:
-
Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours.
-
Assessment: We will investigate and assess the vulnerability, keeping you informed of our progress.
-
Resolution Timeline:
- Critical vulnerabilities: Patch within 7 days
- High severity: Patch within 14 days
- Medium severity: Patch within 30 days
- Low severity: Included in next regular release
-
Disclosure: Once a fix is available, we will:
- Release a security patch
- Publish a security advisory
- Credit you for the discovery (unless you prefer to remain anonymous)
This SDK has zero runtime dependencies, which significantly reduces the attack surface and dependency-related vulnerabilities. All HTTP requests are made using the native fetch API.
The SDK is written in TypeScript with strict type checking enabled, reducing the risk of type-related vulnerabilities and runtime errors.
API keys are transmitted via the x-api-key header over HTTPS. Never use this SDK over unencrypted HTTP connections in production.
Security updates are released as soon as possible after a vulnerability is confirmed. Subscribe to:
- GitHub Security Advisories: Watch the repository for security updates
- npm/pnpm: Use
pnpm auditto detect vulnerable versions - Release Notes: Check CHANGELOG.md for security-related updates
This security policy applies to:
- The
@relatiohq/opencloudpackage - The source code in this repository
- Published versions on npm
This policy does NOT cover:
- Third-party applications using this SDK
- Roblox Open Cloud API itself (report to Roblox directly)
- Development/test dependencies (not included in production builds)
For security concerns, use: GitHub Security Advisories
For general questions, use: GitHub Issues
Thank you for helping keep @relatiohq/opencloud and its users safe!