| Version | Supported |
|---|---|
main (latest) |
β Active support |
| Older releases | β No longer supported |
Please do NOT open a public GitHub Issue for security vulnerabilities.
If you discover a security vulnerability in PixelPerfect, please report it responsibly by:
-
Opening a private security advisory on GitHub:
Go to the repo β Security tab β Report a vulnerability -
Include the following in your report:
- Description of the vulnerability
- Steps to reproduce it
- Potential impact
- Suggested fix (if you have one)
| Step | Timeframe |
|---|---|
| Acknowledgement of report | Within 48 hours |
| Confirmation & assessment | Within 7 days |
| Patch release (if valid) | Within 30 days |
Since PixelPerfect processes all images client-side with no backend server, the attack surface is limited. However, we take seriously:
- XSS vulnerabilities via malicious image metadata
- Prototype pollution in dependencies
- Dependency vulnerabilities (npm audit issues)
- iframe security related to the Spline 3D embed
- Issues in
node_modulesalready reported upstream - Self-XSS (attacks requiring user to paste code themselves)
- Theoretical vulnerabilities with no practical exploit
Thank you for helping keep PixelPerfect secure. π