We release security updates for the following versions of CornerKit:

CornerKit is a client-side JavaScript library that:

• Zero runtime dependencies - Minimal attack surface
• No network requests - No data exfiltration risk
• No data collection - Privacy-first design
• CSP compatible - Works with strict Content Security Policies
• Input validation - All user inputs are validated and sanitized

The production library (dist/cornerkit.esm.js, etc.):

• Contains zero vulnerabilities (zero runtime dependencies)
• Is signed and verifiable via npm/CDN checksums
• Includes Subresource Integrity (SRI) hashes for CDN usage

Development and testing dependencies may have advisories:

• These dependencies are not included in the production bundle
• They are only used during development, testing, and build processes
• We regularly update dev dependencies to address security issues
• Dev dependency vulnerabilities do not affect end users

We take security seriously. If you discover a security vulnerability in CornerKit, please report it responsibly.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please email security details to:

me@victorbejar.com (preferred)

Or create a private security advisory:

1. Go to https://github.com/bejarcode/cornerkit/security/advisories
2. Click "New draft security advisory"
3. Fill in the details

Please include the following information:

• Description of the vulnerability
• Steps to reproduce the issue
• Affected versions
• Potential impact
• Suggested fix (if you have one)
• Your contact information (optional, for follow-up)

• Initial Response: Within 24-48 hours
• Triage & Assessment: Within 1 week
• Fix Development: Depends on severity (see below)
• Public Disclosure: After fix is released

We follow the CVSS v3.1 severity rating system:

When using CornerKit in your application:

<script
  src="https://cdn.jsdelivr.net/npm/cornerkit@1.0.0/dist/cornerkit.esm.js"
  integrity="sha384-[HASH]"
  crossorigin="anonymous"
></script>

// Always validate radius and smoothing values from user input
const radius = Math.max(0, Math.min(100, parseFloat(userInput)));
ck.apply(element, { radius, smoothing: 0.8 });

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://cdn.jsdelivr.net;
  style-src 'self' 'unsafe-inline';  # Required for .style modifications

# Check for updates regularly
npm outdated cornerkit

# Update to latest version
npm update cornerkit

# Check for vulnerabilities
npm audit

# Check CornerKit specifically
npm audit --package=cornerkit

When contributing code to CornerKit:

Avoid:

• eval() or Function() constructors
• innerHTML or outerHTML for user content
• document.write()
• Inline event handlers (onclick, etc.)

Use instead:

• DOM APIs (.style, .setAttribute())
• Type validation
• Input sanitization

// Always validate and sanitize
if (typeof radius !== 'number' || isNaN(radius) || radius < 0) {
  throw new TypeError('radius must be a positive number');
}

test('should reject malicious input', () => {
  expect(() => {
    ck.apply(element, { radius: '<script>alert(1)</script>' });
  }).toThrow();
});

/**
 * Apply squircle corners to element
 * @param element - DOM element (validated)
 * @param config - Configuration (validated and sanitized)
 * @security All inputs are validated before use
 */

No security advisories have been published for CornerKit.

We monitor the following sources for security advisories:

• npm Security Advisories
• Snyk Vulnerability Database
• CVE Database
• OWASP Top 10

Detailed security audit reports are available in:

• packages/core/security/SECURITY-AUDIT.md

For security-related questions or concerns:

Email: me@victorbejar.com GitHub Security: https://github.com/bejarcode/cornerkit/security

We appreciate responsible disclosure of security vulnerabilities. Contributors who report valid security issues will be acknowledged in our:

• Security advisories
• Release notes
• CONTRIBUTORS.md file

Thank you for helping keep CornerKit secure!

Last Updated: 2025-01-11 Policy Version: 1.0.0