| Version | Supported |
|---|---|
| 2.3.x | ✅ |
| 2.2.x | ✅ |
| < 2.2 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
- Open a public GitHub issue
- Disclose the vulnerability publicly before it has been addressed
- Email the maintainer directly at: fireayehuzekarias@gmail.com
- Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 5 business days
- Status Updates: Every 7 days until resolved
- Fix Timeline: Critical issues within 7 days, others within 30 days
- We will coordinate disclosure with you
- Security advisories will be published on GitHub
- Credit will be given to reporters (unless anonymity is requested)
When using chapa-nodejs:
- Never commit your secret keys to version control
- Use environment variables for sensitive data
- Keep dependencies updated regularly
- Enable webhook signature verification for production
- Use HTTPS for all API communications
- Implement rate limiting in your application
- Log and monitor suspicious activities
- ✅ Webhook signature verification (HMAC-SHA256)
- ✅ Type-safe validation (Zod)
- ✅ Secure error handling
- ✅ No sensitive data in logs (when debug mode off)
Thank you for helping keep chapa-nodejs secure!