Skip to content

Security: iamfj/pi-stack-ops

SECURITY.md

Security policy

pi-stack-ops is a Pi extension package. Extensions run with the user's local permissions, so security issues can affect source code, local files, shell commands, GitHub access, and workflow artifacts.

Supported versions

Version Supported
0.x Best-effort security fixes before the first stable release

Reporting a vulnerability

Report suspected vulnerabilities privately through GitHub private vulnerability reporting at https://github.com/iamfj/pi-stack-ops/security/advisories/new. If that isn't available, contact the maintainer directly before publishing details.

Include:

  • affected version or commit;
  • installation source;
  • operating system;
  • reproduction steps;
  • impact assessment;
  • whether secrets, source code, or local files are exposed or modified.

Security scope

In scope:

  • install or publish supply-chain issues;
  • package tarball contents;
  • extension runtime behavior;
  • CLI filesystem cleanup behavior;
  • subprocess execution;
  • status/footer rendering of local state;
  • handling of .pi/stack-ops/ artifacts.

Out of scope:

  • vulnerabilities in a consuming repository's own code;
  • compromised local developer machines;
  • malicious configuration intentionally added by a repository owner.

Maintainer expectations

Maintainers must:

  • keep runtime dependencies minimal;
  • avoid install-time lifecycle scripts;
  • review package contents with bun run pack:dry-run before release;
  • publish with npm provenance when publishing to npm;
  • keep GitHub Actions permissions least-privilege;
  • pin third-party GitHub Actions to full commit SHAs;
  • treat destructive filesystem changes as explicit, confirmed actions.

There aren't any published security advisories