Skip to content

Security: QuantumLogicsLabs/make-folder-txt-Website

Security

docs/SECURITY.md

Security Policy

Supported Versions

Version Supported
Latest (npm latest tag)
Older minor/patch releases

Only the most recently published version on npm receives security fixes. Please upgrade before reporting an issue to confirm it's still present.

Reporting a Vulnerability

make-folder-txt reads files from disk and writes a .txt dump (and, in --reverse mode, writes files back to disk) — so path-handling and file-write bugs are treated as security issues, not just regular bugs.

Please do not open a public issue for a security vulnerability.

Instead, use GitHub's private reporting flow:

  1. Go to the Security tab of this repository.
  2. Click Report a vulnerability.
  3. Include:
    • A description of the issue and its potential impact
    • Steps to reproduce (a minimal example folder/command is ideal)
    • Your OS and Node.js version
    • Any suggested fix, if you have one

If private reporting isn't available to you for some reason, open a regular issue asking a maintainer to contact you privately, without describing the vulnerability itself.

What counts as in-scope

  • Path traversal or unexpected file writes/overwrites, especially in --reverse mode
  • Ways to make the tool read or write outside the intended project directory
  • Denial-of-service via crafted folder structures (e.g. symlink loops)
  • Any other behavior that could cause data loss or unintended file exposure

Response

We aim to acknowledge new reports within 5 business days and to provide a fix or mitigation plan within 30 days for confirmed issues, depending on severity. You'll be credited in the release notes unless you'd prefer to remain anonymous.

There aren't any published security advisories