We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 0.x | ✅ |
If you discover a security vulnerability in Lark, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email us at security@graycode.ai with:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (optional)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours.
- Assessment: We will investigate and assess the severity within 5 business days.
- Resolution: We will work on a fix and coordinate disclosure with you.
- Credit: We will credit you in the release notes unless you prefer to remain anonymous.
- Never commit secrets, API keys, or credentials to the repository.
- Use environment variables for all configuration that varies by environment.
- Sanitize all user input before rendering (the project uses
rehype-sanitizefor Markdown). - Validate authentication tokens on every API request.
- Keep dependencies up to date and audit regularly with
npm audit.
Run npm audit regularly to check for known vulnerabilities in dependencies:
npm audit
npm audit fix