The latest version of twico-ui published to npm receives security fixes.
Please do not open a public issue for security reports.
Report privately via GitHub Security Advisories:
repo → Security → Report a vulnerability (https://github.com/EncryptionL/twico-ui/security/advisories/new).
Include reproduction steps and affected versions. We aim to acknowledge within 7 days and to ship a fix or mitigation as quickly as the severity warrants, crediting reporters who wish to be credited.
- Zero runtime dependencies. The published tarball ships only
dist/+styles/;react/react-domare peer dependencies.npm audit --omit=devreports 0 vulnerabilities, so the install surface for consumers is minimal. - No CDNs. Fonts are self-hosted (OFL
.ttffiles shipped understyles/fonts/) and icons are inline SVG. Nothing is fetched from a third-party CDN at runtime, so consumers behind strict networks, firewalls, or a tight Content-Security-Policy are unaffected (no 403/blocked-asset failures). A CI guard fails the build if a CDN reference is introduced into shipped source. - URL sanitization. Navigation components (
Breadcrumb,Navbar,Sidebar,List) stripjavascript:/data:/vbscript:schemes (including whitespace/control-char obfuscation) before a consumer-suppliedhrefreaches the DOM. Even so, treat anyhrefyou pass from untrusted/user-influenced data as a trust boundary. - SSR-safe. No
window/documentaccess at module or render scope; all browser access is inside effects/handlers. - Least-privilege CI. Each workflow declares minimal
GITHUB_TOKENpermissions. Releases publish with npm provenance. - Automated scanning. CodeQL static analysis (
.github/workflows/codeql.yml) and Dependabot dependency updates (.github/dependabot.yml) run continuously.
Because the shipped tarball has no runtime dependencies, the following advisories are confined to the build/release/docs toolchain and never reach consumers of the npm package:
| Advisory | Where | Why it doesn't affect consumers |
|---|---|---|
esbuild ≤0.24.2 (GHSA-67mh-4wv8-2f99) |
via vite, docs-site tooling |
Affects only the local dev server; the docs deploy uses a static vite build, which is not exposed. |
brace-expansion, ip-address, picomatch |
inside the npm CLI bundled by @semantic-release/npm |
Used only inside the CI release job; not installed by, or shipped to, consumers. |
These are tracked by Dependabot and updated as upstream fixes land. Run npm audit --omit=dev to confirm the consumer-facing surface stays clean.