If you discover a security vulnerability in Opusify CLI, please report it responsibly by emailing security@ebytelab.com. Do not open a public GitHub issue for security vulnerabilities.
We will acknowledge your report within 48 hours and provide a fix timeline.
Opusify CLI is designed to be lightweight (18KB published) with minimal dependencies. Below is our security posture regarding known alerts.
The CLI makes outbound network requests only to GitHub (via giget) to fetch project templates in production mode. No telemetry, analytics, or other network calls are made.
- When: Only when no local
templates/folder exists (i.e., when installed via npm) - Where:
https://github.com/Ebyte-Lab/opusify-templates - Auth: Optional GitHub token for private repos (never sent elsewhere)
In development mode (running from the cloned repo), no network requests are made — templates are copied from disk.
Socket.dev flags two packages for using dynamic code execution (eval or new Function). Both are accepted risks with documented justification:
| Package | Used By | Why It Uses eval | Risk Level | Justification |
|---|---|---|---|---|
uglify-js |
handlebars (optional dep) |
JavaScript minification requires code parsing/generation | Low | Optional dependency; only used if templates are precompiled. Does not execute user input. |
ajv |
eslint (dev dependency) |
JSON Schema validation compiles schemas to functions for performance | Low | Dev dependency only; not included in published package. Does not execute user input. |
Neither package executes user-supplied input. The eval/new Function usage is for internal compilation (template engine and schema validation), not for processing untrusted data.
Some transitive dependencies may be deprecated (e.g., old glob versions from eslint@8). These come from:
eslint@8— Legacy version used as a dev dependency; upgrade to ESLint 9 flat config is planned
The previous tiged dependency (which pulled in most deprecated packages) has been replaced with giget.
We run npm audit in CI on every pull request. High/critical vulnerabilities block merges.
To audit locally:
npm auditWhen users enable Enterprise Security Hardening (enableSecurity: true), generated projects include:
- Zod environment validation (
env.mjs) — Validates all env vars at build time - CSP Headers — Content-Security-Policy, X-Frame-Options, X-Content-Type-Options
.gitignore— Prevents.envfiles from being committed.env.example— Documents required variables without exposing values
| Version | Supported |
|---|---|
| 1.x.x | ✅ Active |
| < 1.0 | ❌ No |