Only the latest minor release of modelfile-syntax receives security updates. Older versions may be patched at the maintainer's discretion.
| Version | Supported |
|---|---|
0.1.x |
yes |
< 0.1 |
no |
This extension runs entirely in the VSCode extension host with no network access, no child_process spawns, and no filesystem writes outside of editor APIs. The attack surface is narrow but not zero — for example, a maliciously crafted Modelfile could in theory trigger pathological regex behavior in the parser or grammar.
To report a vulnerability:
- Do not file a public GitHub issue.
- Email the maintainer via the contact form on ahnafnafee.dev, or use GitHub's private vulnerability reporting.
- Include: extension version, editor (VSCode/VSCodium/Cursor/Windsurf/vscode.dev), reproduction steps, and the impact you observed.
You can expect an acknowledgement within 7 days. Confirmed vulnerabilities will be patched in the next minor release, with credit to the reporter (unless anonymity is requested).
- General code-quality issues — file a normal issue or PR.
- Vulnerabilities in third-party dependencies — please report upstream first; we will track via Dependabot.
- Vulnerabilities in the Ollama runtime itself — report to ollama/ollama.