Do not open a public GitHub issue for security vulnerabilities.

Report privately via GitHub's built-in mechanism: Report a vulnerability

Include in your report:

• Description of the vulnerability and its potential impact
• Steps to reproduce or a minimal proof-of-concept
• Affected versions (if known)
• Any suggested fix or mitigation (optional)

You will receive an acknowledgement within 72 hours. If confirmed, a fix will be prioritised and a GitHub Security Advisory published once resolved.

DiCaf is a dependency injection container library with no network I/O, no filesystem access, and no external service calls in its core. The attack surface is limited to:

• Prototype pollution via user-supplied binding keys or metadata
• Arbitrary code execution via user-controlled factory functions registered in the container
• Information disclosure via error messages that may expose internal class names or configuration

Vulnerabilities in dependencies (e.g., reflect-metadata) should be reported to their respective maintainers. If a transitive dependency vulnerability directly affects DiCaf users, open a regular issue referencing the upstream advisory.

• Vulnerabilities in example code under examples/ — these are for illustration only and not production-ready
• Issues that require the attacker to already have arbitrary code execution on the host
• Vulnerabilities in dev dependencies (build tools, test runners, linters, benchmark utilities) — none of these are shipped to end-users. The only production dependency is reflect-metadata, and it is optional — required only when using legacy decorator support