We currently provide security support for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | β |
| < 1.0 | β |
The security of effect-redis-bun is a priority. If you discover a security vulnerability, please help us by following these guidelines:
DO NOT open a public issue to report security vulnerabilities.
Instead, report privately through:
-
GitHub Security Advisories (recommended)
- Go to the "Security" tab of the repository
- Click "Report a vulnerability"
- Complete the form with details
-
Direct Email (alternative)
- Send an email to: contactodesarrollo@dimensionvortex.com
- Subject:
[SECURITY] Brief description - Include all details in the body
To help us understand and resolve the issue quickly, include:
- Type of vulnerability (e.g., injection, XSS, authentication, etc.)
- Location of affected code (files, lines)
- Affected version of effect-redis-bun
- Steps to reproduce the problem
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information for follow-up
Type: Possible credential exposure
Location: src/index.ts, buildUrl() function
Version: 1.0.0
Description:
Passwords could be logged in certain contexts...
Reproduction:
1. Configure with password: "secret"
2. Call buildUrl()
3. Password appears in...
Impact:
An attacker with access to logs could...
Suggested Fix:
Redact passwords in URLs before logging
- Confirmation: We'll respond within 48 hours acknowledging your report
- Investigation: We'll evaluate the report within 7 days
- Update: We'll keep you informed of progress
- Resolution: We'll work on a priority fix
- Disclosure: We'll coordinate public disclosure with you
- Credit: We'll give you credit in the advisory (if you wish)
We follow a coordinated disclosure policy:
- You report the vulnerability privately
- We confirm and validate the report
- We develop and test a fix
- We release a version with the patch
- We publish a security advisory
- We give you credit (if you accept)
Typical timeframe: 30-90 days depending on severity
We thank the following security researchers:
- No one yet - be the first!
In scope:
- Vulnerabilities in this library's code
- Configuration issues that expose data
- Bugs that allow authentication bypass
- Direct dependency vulnerabilities
Out of scope:
- Vulnerabilities in Redis Server itself
- Issues in Bun runtime (report to Bun)
- Vulnerabilities in Effect (report to Effect)
- Attacks requiring physical access
- Denial of service (DoS) attacks
- Issues in applications using the library
To use this library securely:
- Don't hardcode credentials - use environment variables
- Use TLS in production - configure
tls: true - Limit permissions - use Redis users with ACLs
- Validate inputs - sanitize data before storing in Redis
- Rotate credentials regularly
- Monitor access - logs and alerts in production
- Keep updated - use the latest version
- Review dependencies - run
bun auditregularly
import { makeLayer } from "effect-redis-bun"
// β
Good: Credentials from env vars
const layer = makeLayer({
host: process.env.REDIS_HOST!,
port: parseInt(process.env.REDIS_PORT || "6379"),
password: process.env.REDIS_PASSWORD, // β οΈ Never hardcode
tls: process.env.NODE_ENV === "production", // TLS in prod
username: process.env.REDIS_USER,
database: parseInt(process.env.REDIS_DB || "0")
})
// β Bad: Credentials in code
const badLayer = makeLayer({
password: "my-secret-password" // DON'T DO THIS!
})See GitHub Security Advisories for published advisories.
Thanks for helping keep effect-redis-bun secure for everyone. π