Before the first public release, security fixes are made on the default branch. After v0.1.0 is published, the latest v0.1.x release will receive security fixes when practical. Older prerelease snapshots and unmaintained branches are not supported.
| Version | Supported |
|---|---|
| Default branch before first release | Yes |
| Latest 0.1.x after publication | Yes |
| Older snapshots or branches | No |
Do not open a public issue for a suspected vulnerability. Use GitHub's private vulnerability reporting at:
https://github.com/KanadeK/boq-diff/security/advisories/new
If that page is not available before the repository is published, contact the maintainer through the contact method on the KanadeK GitHub profile and ask for a private reporting channel. Do not include sensitive exploit details in a public message.
Please provide:
- affected commit or version;
- browser, operating system, and reproduction conditions;
- a minimal reproduction using fictional data only;
- expected and observed behavior;
- potential impact and any known mitigations;
- whether the issue is already public.
Never send real BOQ files, client data, credentials, proprietary commercial-software exports, or copyrighted pricing databases. A report may use a workbook created from scratch with invented values.
The maintainer will acknowledge the report when possible, assess severity and scope, coordinate a fix, and credit the reporter if requested and safe. Response or release times are not guaranteed for this volunteer project.
BOQ Diff is a static, local-first browser application. Its design excludes a backend, accounts, file uploads, analytics, telemetry, advertisements, and runtime external APIs. Imported file contents are intended to remain in browser memory and are released on refresh or “Clear data.” Only theme, non-sensitive mapping preferences, and comparison tolerances may be persisted.
This boundary reduces network exposure but does not make every workbook trustworthy. A crafted spreadsheet may still exercise browser memory, parser, decompression, formula, or export edge cases. The application therefore enforces file and row limits, does not recalculate formulas, and must not invent results when a cached formula value is unavailable.
Users should:
- obtain the application from a trusted repository or deployment;
- keep the browser current;
- verify exported reports before relying on them;
- follow organizational controls for confidential project data;
- clear the session after use on a shared device;
- avoid importing unexpected or untrusted workbooks.
For the full data-flow and threat-boundary description, see docs/privacy-security.md.