Only the latest main branch is actively supported for security updates.
If you discover a security vulnerability:
- Do not open a public issue.
- Email the maintainers with:
- A clear description of the issue.
- Reproduction steps and impact.
- Any proposed remediation.
- Expect an acknowledgment within 72 hours.
- Coordinated disclosure will be used for confirmed vulnerabilities.
- Never commit real credentials, API keys, or service-role tokens.
- Use
.env.exampleand.env.supabase.exampletemplates for local setup. - Rotate credentials immediately if exposure is suspected.
- Production API keys are stored hashed only; plaintext keys are never persisted.