This is a static browser + local script project. Security reports are still welcome, especially for:
- unsafe dependency or script loading,
- data exposure risks,
- injection vectors,
- insecure defaults in scripts/workflows.
Please do not open a public issue with exploit details.
Preferred path:
- Open a private GitHub security advisory (if enabled).
- If private advisory is not available, open a minimal public issue and ask maintainers for a private channel.
Include:
- affected file(s),
- reproduction steps,
- impact,
- suggested fix (if available).
- Initial acknowledgement: within 7 days
- Status update: within 14 days
Please allow maintainers reasonable time to validate and fix before public disclosure.