pine-transpiler is pre-1.0 and ships from a single supported line. Security
fixes land in the latest published version on the main branch.
| Package + version | Supported |
|---|---|
@opus-aether-ai/pine-transpiler — latest (0.4.x) |
✅ |
@opus-aether-ai/pine-transpiler — < 0.4.0 |
❌ — please upgrade |
@opusaether/pine-transpiler (any version) |
❌ — deprecated scope, package renamed in 0.4.0; migrate to @opus-aether-ai/pine-transpiler |
We do not backport security fixes to older minor lines, and the legacy
@opusaether/ scope is unmaintained. Bumping to the latest release on the
new scope is the supported path.
Do not open a public GitHub Issue for security vulnerabilities.
Please use GitHub's private vulnerability reporting:
- Go to https://github.com/Opus-Aether-AI/pine-transpiler/security/advisories
- Click Report a vulnerability
- Fill in the form; the maintainers receive it privately
GitHub's private vulnerability reporting is the only intake channel.
If you cannot access the form (account restrictions, network issues, etc.),
open a public GitHub Issue titled Security: request for private contact
with no further detail. A maintainer will create a private GitHub
Security Advisory and add you as a collaborator so the full report can
be exchanged there, or — if your GitHub profile lists a contact email —
reach out to that address directly.
When reporting, please include:
- Affected version(s) — e.g.
0.4.3and earlier - Vulnerability class — e.g. unsafe
eval, prototype pollution, path traversal in the CLI, denial-of-service via crafted Pine source - Reproduction — minimal Pine source or repro steps + expected vs actual behavior
- Impact — what an attacker can do (RCE? DoS? File write outside the intended output dir?)
- Suggested fix if you have one
- Acknowledgement: within 7 days
- Triage + severity rating (using CVSS 3.1): within 14 days
- Fix + coordinated disclosure window: 30–90 days depending on severity
- Public advisory + CVE (where applicable): published once the fix is released and a reasonable patch-adoption window has passed
In scope:
@opus-aether-ai/pine-transpilerpackage (CLI + library) — bothdist/and the source it's built from- The generated JavaScript /
CustomIndicatorfactory output, when it can be triggered by user-supplied Pine Script
Out of scope:
- Vulnerabilities in TradingView's
charting_libraryorPineJSruntime itself — please report those to TradingView - Vulnerabilities in third-party Pine Script source files you transpile (the output is only as trustworthy as the input)
- Issues that require physical access or social engineering
The library is zero-runtime-dependency by design — the only attack surface
is the transpiler's own code. The generator emits identifiers through a
sanitizeIdentifier allowlist (blocks __proto__, constructor, prototype,
eval, Function, reserved words) and all user-controlled string literals are
passed through JSON.stringify before interpolation. We use new Function(...)
in two places, both with sanitized + uniquified inputs:
executePineJS()insrc/index.ts— runs only the already-emitted JS produced by the transpiler- the compile step inside
buildIndicatorFactory()insrc/factory/indicator-factory.ts— invoked once during factory init
Regression tests cover both paths.
We welcome reports that go deeper than this surface.