• All code is open-source and peer-reviewed by the community.
• Vulnerabilities can be reported privately via GitHub vulnerability reporting.
• All changes are scanned with Snyk prior to publication.
• Releases to npm are published using GitHub Actions Trusted Publishing (OIDC).
• Tags (v*) trigger automated npm publish, providing a full audit trail.

This tool collects zero user data. No credentials, PII, payment info, health data, or user content is ever stored, transmitted, or shared. All analysis runs 100% client-side with no network calls to external services.

We temporarily use metadata (e.g., Flow metadata, timestamps) in-memory only for real-time functionality during your session. This data is never stored, logged, or transmitted and is discarded immediately when the session ends.

Note: You may manually save scan results (e.g., reports, CSV, JSON) to your local filesystem. These files are created at your request and remain under your full control. This tool does not access, upload, or retain them.

We actively track and maintain an up-to-date inventory of all third-party dependencies to ensure security and compatibility. Our dependencies include: