Day One is a static, client-only app — no backend, no accounts, no server-side data. It stores only the current run locally in the browser (IndexedDB). There's no user data on a server to breach.
If you find a security issue — a dependency advisory, a way to compromise the build pipeline, or anything that could harm a user's device — please report it privately:
- Use GitHub's Security → "Report a vulnerability" (private advisory), or
- if that isn't available, open a minimal issue noting it's security-related and asking to take it private.
Please don't disclose details in a public issue until it's been addressed. Thanks for helping keep people safe.