Skip to content

Security: Vortex-Dimension-Digital/effect-redis-bun

Security

SECURITY.md

Security Policy

Supported Versions

We currently provide security support for the following versions:

Version Supported
1.x.x βœ…
< 1.0 ❌

Reporting a Vulnerability

The security of effect-redis-bun is a priority. If you discover a security vulnerability, please help us by following these guidelines:

πŸ”’ Reporting Process

DO NOT open a public issue to report security vulnerabilities.

Instead, report privately through:

  1. GitHub Security Advisories (recommended)

    • Go to the "Security" tab of the repository
    • Click "Report a vulnerability"
    • Complete the form with details
  2. Direct Email (alternative)

πŸ“‹ Information to Include

To help us understand and resolve the issue quickly, include:

  • Type of vulnerability (e.g., injection, XSS, authentication, etc.)
  • Location of affected code (files, lines)
  • Affected version of effect-redis-bun
  • Steps to reproduce the problem
  • Potential impact of the vulnerability
  • Suggested fix (if you have one)
  • Your contact information for follow-up

πŸ“§ Report Example

Type: Possible credential exposure
Location: src/index.ts, buildUrl() function
Version: 1.0.0

Description:
Passwords could be logged in certain contexts...

Reproduction:
1. Configure with password: "secret"
2. Call buildUrl()
3. Password appears in...

Impact:
An attacker with access to logs could...

Suggested Fix:
Redact passwords in URLs before logging

⏱️ What to Expect

  • Confirmation: We'll respond within 48 hours acknowledging your report
  • Investigation: We'll evaluate the report within 7 days
  • Update: We'll keep you informed of progress
  • Resolution: We'll work on a priority fix
  • Disclosure: We'll coordinate public disclosure with you
  • Credit: We'll give you credit in the advisory (if you wish)

πŸ›‘οΈ Disclosure Policy

We follow a coordinated disclosure policy:

  1. You report the vulnerability privately
  2. We confirm and validate the report
  3. We develop and test a fix
  4. We release a version with the patch
  5. We publish a security advisory
  6. We give you credit (if you accept)

Typical timeframe: 30-90 days depending on severity

πŸŽ–οΈ Acknowledgments

We thank the following security researchers:

  • No one yet - be the first!

πŸ” Scope

In scope:

  • Vulnerabilities in this library's code
  • Configuration issues that expose data
  • Bugs that allow authentication bypass
  • Direct dependency vulnerabilities

Out of scope:

  • Vulnerabilities in Redis Server itself
  • Issues in Bun runtime (report to Bun)
  • Vulnerabilities in Effect (report to Effect)
  • Attacks requiring physical access
  • Denial of service (DoS) attacks
  • Issues in applications using the library

πŸ“š Recommended Best Practices

To use this library securely:

  • Don't hardcode credentials - use environment variables
  • Use TLS in production - configure tls: true
  • Limit permissions - use Redis users with ACLs
  • Validate inputs - sanitize data before storing in Redis
  • Rotate credentials regularly
  • Monitor access - logs and alerts in production
  • Keep updated - use the latest version
  • Review dependencies - run bun audit regularly

πŸ” Secure Configuration

import { makeLayer } from "effect-redis-bun"

// βœ… Good: Credentials from env vars
const layer = makeLayer({
  host: process.env.REDIS_HOST!,
  port: parseInt(process.env.REDIS_PORT || "6379"),
  password: process.env.REDIS_PASSWORD, // ⚠️ Never hardcode
  tls: process.env.NODE_ENV === "production", // TLS in prod
  username: process.env.REDIS_USER,
  database: parseInt(process.env.REDIS_DB || "0")
})

// ❌ Bad: Credentials in code
const badLayer = makeLayer({
  password: "my-secret-password" // DON'T DO THIS!
})

πŸ“ Security History

See GitHub Security Advisories for published advisories.


Thanks for helping keep effect-redis-bun secure for everyone. πŸ™

There aren't any published security advisories