| Version | Supported |
|---|---|
| 0.8.x | ✅ |
| < 0.8 | ❌ |
We support only the latest minor version. Please upgrade to receive security patches.
This project uses multiple layers of automated security scanning:
- Dependabot: Automated dependency updates (weekly)
- npm audit: Runs on every CI build
- Socket.dev: Supply chain attack detection
- CodeQL: Static analysis for security vulnerabilities (weekly + on PRs)
- Custom security tests: SQL injection, XSS, ReDoS prevention (135 tests)
- Known CVEs in dependencies
- SQL injection vulnerabilities
- Cross-site scripting (XSS)
- Regular expression denial of service (ReDoS)
- Path traversal attacks
- Supply chain attacks (malicious packages, typosquatting)
- Integer overflow/underflow
- Unsafe deserialization
If you discover a security vulnerability:
- Do NOT open a public GitHub issue
- Email: hello@ansvar.eu
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
We will respond within 48 hours and provide a timeline for a fix.
This project follows security best practices:
- ✅ All database queries use prepared statements (no SQL injection)
- ✅ Input validation on all user-provided data
- ✅ Read-only database access (no write operations)
- ✅ No execution of user-provided code
- ✅ Automated security testing in CI/CD
- ✅ Regular dependency updates via Dependabot
- ✅ Pre-push hooks block broken tests locally
The regulation database (data/regulations.db) is:
- Pre-built and version-controlled (tamper evident)
- Opened in read-only mode (no write risk)
- Source data from official EUR-Lex (auditable)
- Ingestion scripts require manual execution (no auto-download)
For deployments using PostgreSQL (Cloudflare Workers, REST API):
- ✅ TLS/SSL enabled by default in production
- ✅ Certificate validation enforced for managed providers
- ✅ Custom CA support for self-hosted deployments
- ✅ Secure-by-default configuration with explicit opt-out
Configuration: See docs/DATABASE_SSL.md for detailed SSL/TLS setup guide.
Environment Variables:
# Secure (default in production)
DATABASE_URL=postgresql://...
DATABASE_SSL_MODE=require # or omit, auto-enabled in production
# Self-hosted with custom CA
DATABASE_SSL_MODE=verify-ca
DATABASE_SSL_CA_CERT=/path/to/ca.crt
# Local dev only (no SSL)
DATABASE_SSL_MODE=disableNever use in production: DATABASE_SSL_MODE=disable or rejectUnauthorized: false
We minimize dependencies and regularly audit:
- Core runtime: Node.js, TypeScript, better-sqlite3
- MCP SDK: Official Anthropic package
- No unnecessary dependencies
All dependencies are tracked via package-lock.json and scanned for vulnerabilities.
Latest Audit: 2026-02-07
- npm dependencies: 2 false positives (verified safe via
npm ls) - Code scanning: 1 real issue (TLS bypass) - FIXED in commit 199c94b
- OSSF Scorecard: 29 best-practice recommendations (not vulnerabilities)
See GitHub Security Tab for live results.
Last Updated: 2026-02-07