pi-stack-ops is a Pi extension package. Extensions run with the user's local
permissions, so security issues can affect source code, local files, shell
commands, GitHub access, and workflow artifacts.
| Version | Supported |
|---|---|
0.x |
Best-effort security fixes before the first stable release |
Report suspected vulnerabilities privately through GitHub private vulnerability
reporting at
https://github.com/iamfj/pi-stack-ops/security/advisories/new. If that isn't
available, contact the maintainer directly before publishing details.
Include:
- affected version or commit;
- installation source;
- operating system;
- reproduction steps;
- impact assessment;
- whether secrets, source code, or local files are exposed or modified.
In scope:
- install or publish supply-chain issues;
- package tarball contents;
- extension runtime behavior;
- CLI filesystem cleanup behavior;
- subprocess execution;
- status/footer rendering of local state;
- handling of
.pi/stack-ops/artifacts.
Out of scope:
- vulnerabilities in a consuming repository's own code;
- compromised local developer machines;
- malicious configuration intentionally added by a repository owner.
Maintainers must:
- keep runtime dependencies minimal;
- avoid install-time lifecycle scripts;
- review package contents with
bun run pack:dry-runbefore release; - publish with npm provenance when publishing to npm;
- keep GitHub Actions permissions least-privilege;
- pin third-party GitHub Actions to full commit SHAs;
- treat destructive filesystem changes as explicit, confirmed actions.