We actively support the following versions of HoloScript with security updates:
| Version | Supported |
|---|---|
| 6.x.x | ✅ |
| 5.x.x | ❌ |
| 4.x.x | ❌ |
| 3.x.x | ❌ |
| 2.x.x | ❌ |
| 1.x.x | ❌ |
HoloScript uses multiple security scanning tools to ensure code safety:
-
Snyk Security Scanning
- Continuous vulnerability monitoring
- Daily automated scans
- Severity threshold: Medium+
- License compliance checking
- View Dashboard
-
CodeQL Analysis
- Static code analysis
- Security and quality queries
- JavaScript/TypeScript scanning
- Automated on every PR
-
Dependency Review
- PR-based dependency analysis
- License violation detection
- Known vulnerability blocking
-
NPM Audit
- Package vulnerability scanning
- Automated audit reports
- Moderate+ severity threshold
-
Codecov Coverage
- 80%+ test coverage requirement
- Prevents untested code deployment
- Security test validation
-
VM-based Sandbox (
@holoscript/security-sandbox)- Isolated code execution
- AI-generated code validation
- Resource limits enforcement
- Complete audit logging
-
Parser Validation
- Syntax validation before execution
- Schema compliance checking
- Malicious pattern detection
We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
Security vulnerabilities should never be reported through public GitHub issues.
Please report security vulnerabilities using one of these methods:
- Preferred: Use GitHub's Security Advisories
- Email: security@brianonbased.dev
- Encrypted: Use our PGP key
Please include the following information:
- Description: Clear description of the vulnerability
- Impact: Potential security impact and affected versions
- Reproduction: Step-by-step reproduction instructions
- PoC: Proof of concept (if applicable)
- Fix: Suggested fix (if you have one)
- Disclosure: Your preferred disclosure timeline
- Initial Response: Within 48 hours
- Triage: Within 1 week
- Fix Timeline: Depends on severity
- Critical: 24-48 hours
- High: 1 week
- Medium: 2 weeks
- Low: 1 month
- Public Disclosure: After fix is released and deployed
-
Keep Dependencies Updated
pnpm update --latest pnpm audit
-
Use Security Sandbox for AI Code
import { HoloScriptSandbox } from '@holoscript/security-sandbox'; const sandbox = new HoloScriptSandbox({ timeout: 3000, enableLogging: true, }); const result = await sandbox.executeHoloScript(aiGeneratedCode, { source: 'ai-generated', });
-
Validate User Input
- Always validate .holo code before execution
- Use
parseHoloStrict()for validation - Never trust user-provided code
-
Enable Security Features
- Use HTTPS for all network requests
- Enable CSP headers in web applications
- Implement rate limiting for API endpoints
-
Security Review Checklist
- No hardcoded credentials
- No eval() or new Function()
- Input validation implemented
- SQL injection prevention
- XSS prevention
- CSRF protection
- Secure dependencies
- Tests include security cases
-
Pre-Commit Security Checks
pnpm audit pnpm test:coverage pnpm lint
-
Code Review Requirements
- Security-sensitive PRs require 2+ approvals
- Cryptography changes require security team review
- Authentication/authorization changes need thorough testing
- VM-based code sandboxing
- Parser-based validation
- Dependency vulnerability scanning
- Static code analysis (CodeQL)
- 80%+ test coverage requirement
- Security audit logging
- Resource limit enforcement
- Timeout protection
- License compliance checking
- Hardware security module (HSM) integration
- Signed package verification
- Runtime integrity monitoring
- Advanced threat detection
- Security training for contributors
- Security Team: security@brianonbased.dev
- Project Lead: brian@brianonbased.dev
- PGP Fingerprint:
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be:
- Credited in our security advisories (unless you prefer anonymity)
- Listed in our Hall of Fame
- Eligible for our bug bounty program (when available)
Last updated: 2026-02-16