This project is pre-1.0 and ships from main. Security fixes land on main and in the latest release. Older tagged releases are not separately patched.

Please do not open a public issue for security problems.

Report privately through GitHub's "Report a vulnerability" button (repository → Security → Advisories). If you can't use GitHub Security Advisories, email engineering@bbyb.dev with the details instead.

Please include:

• A description of the issue and its impact.
• Steps to reproduce, ideally with a minimal JSON brief or command.
• The version / commit and your environment (Node version, OS).

• We aim to acknowledge a report within 5 business days.
• We'll confirm the issue, work on a fix, and keep you updated on progress.
• Once a fix is released, we're happy to credit you in the advisory unless you prefer to stay anonymous.

This is a local, offline image-rendering CLI: it takes a JSON brief and bundled fonts and produces a PNG. It does not make network calls at runtime and does not handle user accounts or secrets. The most relevant concerns are things like denial-of-service or resource exhaustion from crafted input, or a way to make the renderer write outside its intended output path. Reports along those lines are especially welcome.