Skip to content

Security: isaka-james/remove-comments

Security

SECURITY.md

Security Policy

remove-comments rewrites source code in place, so its safety promises are part of its security model.

Supported versions

Version Supported
1.x yes
legacy scripts no

What counts as a vulnerability

  • Any input that makes the tool corrupt code it should have left alone
  • A way to make the tool write outside the paths it was given
  • Bypassing the .git or protected directory guarantees
  • Crafted input that causes a hang, a crash, or unbounded memory use

Reporting

Report privately to contact@isakajames.com with steps to reproduce and a sample input. Please do not open a public issue for security reports.

You will get an acknowledgement within 72 hours and a status update within 14 days. Fixed issues are credited in the changelog unless you prefer otherwise.

Hardening notes

  • The crate forbids unsafe code
  • Parsing is bounds checked everywhere and cannot panic on any input
  • A fuel counter and a nesting cap guarantee termination on hostile files
  • Writes are atomic, so a crash can never leave a half written file

There aren't any published security advisories