cfman uses npm Package Provenance to ensure the published package matches the source code in this repository. Every release is:
- β Built and published via GitHub Actions
- β Cryptographically signed and linked to a specific commit
- β Verifiable on npm with attestations
You can verify the provenance of any version:
npm view cfman@latest dist.attestationsWe release security updates for the latest major version only.
| Version | Supported |
|---|---|
| 0.x.x | β |
For security vulnerabilities, please DO NOT open a public issue.
Instead, please report them privately via:
- Email: shayan@novincode.com
- Subject:
[SECURITY] cfman vulnerability report
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-3 days
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Best effort
- We'll publish a patched version
- Credit you in the release notes (if desired)
- Update this SECURITY.md with the CVE (if applicable)
When using cfman:
- Never commit tokens to version control
- Use environment-specific tokens (dev, staging, prod)
- Regularly rotate your API tokens
- Use Cloudflare's token restrictions (IP allowlists, TTL)
- Keep cfman updated (
npm update -g cfman)
For contributors:
- All dependencies are regularly updated
- No secrets in code or comments
- Secure file permissions (600) for token storage
- Input validation on all user inputs
- No shell injection vulnerabilities
- Provenance enabled on all releases
Thanks to these security researchers:
- @ochen1 - Suggested implementing package provenance
Last Updated: October 11, 2025