If you find a security issue in this project, please open a private report via GitHub's "Report a vulnerability" flow on this repository instead of opening a public issue. Include:
- A description of the issue and its impact.
- Steps to reproduce (a minimal request/config is ideal).
- The version/commit you tested against.
CURSOR_API_KEY(and anyAUTH_KEYyou configure) should live only in a local, git-ignored.envfile or in your deployment platform's secret store - never in source, never in a commit..envis already listed in.gitignore; only.env.example(with empty placeholder values) is tracked.- Logs redact
Authorizationheaders and any field namedapiKey/cursorApiKey/CURSOR_API_KEY/api_key(seesrc/logger.ts). Startup logs mask the configured key to a short prefix/suffix (seemaskSecretinsrc/logger.ts) - the full key is never printed. - If a Cursor API key is ever accidentally exposed (committed, logged externally, pasted somewhere public), rotate it immediately from the Cursor Dashboard or your team's Service Accounts settings - this project cannot invalidate a key for you.
See the README's "Known dependency vulnerability" section for a transitive undici advisory inherited from @cursor/sdk that currently has no available fix. This is tracked, not ignored.
This project tracks the latest commit on main. There are no maintained release branches; always run the latest main for security fixes.