Only the current major release line receives security fixes.

Upgrade to the latest 14.x release to receive all patches.

Do not open a public GitHub issue for security reports.

Report vulnerabilities privately via GitHub Security Advisories:

1. Go to the Security tab of this repository.
2. Click "New draft security advisory".
3. Fill in the description, affected versions, and steps to reproduce.
4. Submit — the maintainer will be notified privately.

Alternatively, send an e-mail to bruno@rmorillo.com with:

• Subject: [SECURITY] @brmorillo/utils — <short title>
• Affected version(s) and runtime environment.
• A concise description and steps to reproduce.
• (Optional) a suggested fix or patch.

We follow responsible disclosure. Credit will be given in the release notes unless you prefer to remain anonymous.

These invariants are tested in CI and must not regress:

• Symmetric encryption uses AES-256-GCM or ChaCha20-Poly1305 — both authenticated; the authTag is verified on decryption, so tampering throws.
• RSA uses OAEP with SHA-256 padding. PKCS#1 v1.5 is not provided.
• ECC default curve is prime256v1 (P-256).
• RC4 is intentionally absent and must never be added.
• AES-CBC is not provided; do not simplify back to it.

• Password hashing uses bcrypt (minimum cost 10).
• General-purpose digests are SHA-256 and SHA-512.

• verify enforces an algorithms allowlist (default ['HS256']); the none algorithm is always rejected.
• generate defaults to expiresIn: '1h' and pins HS256.
• decode does not verify the signature — treat its output as untrusted.

• All file paths are confined to the configured basePath. Paths containing ../ or any other traversal sequence are rejected with a StorageError.

• deepMerge and unflattenObject silently drop keys that would modify __proto__, constructor, or prototype (prototype-pollution protection).

• BaseError.toJSON() omits the stack trace by default (opt in with { includeStack: true }) — safe to forward in HTTP responses.
• All library errors extend BaseError; the library never throws a bare Error.

• Backoff is capped at maxDelay (default 30 s) with optional jitter to prevent thundering-herd.

• All runtime and dev dependencies are pinned to exact versions (no ^ or ~) for reproducible installs.
• Dependencies are updated once a month, intentionally staying at least 3 months behind the latest release to allow time for the community to detect supply-chain attacks or malicious publishes.
• Before adopting a new runtime dependency major, it is verified to ship a CommonJS build (required for dual CJS+ESM output).
• CI runs Gitleaks on every PR and push to main to detect accidentally committed secrets.

In-scope for security reports:

• Vulnerabilities in the library code itself (src/).
• Weaknesses in the cryptographic or JWT defaults described above.
• Path traversal or prototype-pollution bypasses.
• Supply-chain issues in pinned dependencies.

Out of scope:

• Vulnerabilities in example code (examples/) — these are illustrative only.
• Issues requiring physical access to the developer's machine.
• Denial-of-service against the npm registry or GitHub Actions infrastructure.