Currently supported versions of the TCGplayer Python Client:
| Version | Supported | Security Updates |
|---|---|---|
| 2.0.3 | ✅ | ✅ |
| 2.0.2 | ✅ | ✅ |
| 2.0.x | ✅ | ✅ |
| 1.0.x | ❌ | ❌ |
| < 1.0 | ❌ | ❌ |
If you discover a security vulnerability in the TCGplayer Python Client, please follow responsible disclosure practices:
- Email: josh@gobby.ai
- Subject: [SECURITY] TCGplayer Python Client Vulnerability
- Include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Vulnerability Assessment: Within 7 days
- Fix Development: Depends on severity
- Public Disclosure: After fix is released
This project implements multiple layers of security:
- ✅ Automated security scanning with Bandit
- ✅ Dependency vulnerability checks with pip-audit
- ✅ Static analysis with Semgrep
- ✅ CodeQL analysis for vulnerability detection
- ✅ Comprehensive dependency testing
- ✅ Build system validation
- ✅ Pre-commit hooks for early detection
- ✅ Automated security workflows
- ✅ Dependency review for PRs
- ✅ Weekly security scans
- ✅ Branch protection rules
- ✅ Required code reviews
- ✅ CODEOWNERS for sensitive files
- ✅ Comprehensive .gitignore
.envfiles*.keyfiles*.pemfiles- API credentials
- Database connection strings
- Any secrets or sensitive data
.env.exampleas a template- Environment variables for configuration
- Secure credential storage
- Virtual environments
# Use environment variables
export TCGPLAYER_CLIENT_ID="your_client_id"
export TCGPLAYER_CLIENT_SECRET="your_client_secret"
# Never hardcode in source
# ❌ BAD
client = TCGplayerClient(client_id="abc123", client_secret="xyz789")
# ✅ GOOD
client = TCGplayerClient() # Uses environment variables
- Keep dependencies updated
- Review security advisories
- Use virtual environments
- Pin versions in production
- Run pre-commit hooks
- Follow secure coding practices
- Handle errors gracefully
- Validate all inputs
- Test with invalid inputs
- Test authentication failures
- Test rate limiting
- Mock external API calls
# Check for vulnerabilities
pip-audit
make security
# Update dependencies
pip install --upgrade package_name
# Run dependency tests
make test-deps- Only use packages from PyPI
- Verify package maintainers
- Review package source code for critical dependencies
- Monitor for typosquatting
-
Immediate Actions:
- Rotate all API keys
- Review access logs
- Document the incident
-
Contact:
- Email: josh@gobby.ai
- Include: Timeline, impact, evidence
-
Follow-up:
- Implement fixes
- Update security measures
- Post-incident review
- TCGplayer API Security: https://docs.tcgplayer.com/docs/authentication
- Python Security Guide: https://python-security.readthedocs.io/
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- GitHub Security Features: https://docs.github.com/en/code-security
This security policy is part of the TCGplayer Python Client project and is subject to the same license terms.
Last Updated: August 2025
Version: 2.0.2
Maintainer: Josh Wilhelmi (josh@gobby.ai)