| Version | Supported |
|---|---|
Latest (npm latest tag) |
✅ |
| Older minor/patch releases | ❌ |
Only the most recently published version on npm receives security fixes. Please upgrade before reporting an issue to confirm it's still present.
make-folder-txt reads files from disk and writes a .txt dump (and, in
--reverse mode, writes files back to disk) — so path-handling and
file-write bugs are treated as security issues, not just regular bugs.
Please do not open a public issue for a security vulnerability.
Instead, use GitHub's private reporting flow:
- Go to the Security tab of this repository.
- Click Report a vulnerability.
- Include:
- A description of the issue and its potential impact
- Steps to reproduce (a minimal example folder/command is ideal)
- Your OS and Node.js version
- Any suggested fix, if you have one
If private reporting isn't available to you for some reason, open a regular issue asking a maintainer to contact you privately, without describing the vulnerability itself.
- Path traversal or unexpected file writes/overwrites, especially in
--reversemode - Ways to make the tool read or write outside the intended project directory
- Denial-of-service via crafted folder structures (e.g. symlink loops)
- Any other behavior that could cause data loss or unintended file exposure
We aim to acknowledge new reports within 5 business days and to provide a fix or mitigation plan within 30 days for confirmed issues, depending on severity. You'll be credited in the release notes unless you'd prefer to remain anonymous.