| Version | Supported |
|---|---|
| Latest | ✅ |
| < 0.4.0 | ❌ |
If you discover a security vulnerability, please follow these steps:
- Do not open a public issue. Instead, email the maintainer directly at
shayan@spielos.xyz. - Include a detailed description of the vulnerability, steps to reproduce, and any potential impact.
- Allow 48 hours for an initial response. We aim to resolve critical issues within 7 days.
- Coordinate disclosure with the maintainer before publicly sharing details.
- No install scripts: The package does not use
preinstall,install, orpostinstallscripts that execute arbitrary code. - Provenance: Published with npm provenance to ensure builds originate from this repository.
- Dependency audits: Regularly updated dependencies with GitHub Dependabot alerts enabled.
- CI validation: All changes undergo
typecheck,lint, andtestin GitHub Actions before merging.
- Local execution: All operations run locally; no data is sent to external servers unless explicitly configured (e.g., provider API keys).
- No telemetry: The CLI does not collect or send telemetry data.
- API keys: Keys are read from environment variables or
.env(gitignored) and never logged or stored in reports.
- Dependabot: Automated dependency updates and security alerts.
- CodeQL: Static code analysis for vulnerabilities.
- Secret scanning: Prevents accidental commits of secrets.
- Trusted publishing: npm packages are published via GitHub Actions with OIDC provenance.
To fully remove Cachecatch and its artifacts:
# Remove local files
rm -rf ./reports ./.env ./cachecatch-x-share*.png
# Remove HOME artifacts
rm -rf ~/.cachecatch
# Clear npx cache
npx clear-npx-cache