We actively support the following versions of LARC with security updates:
| Package | Version | Supported |
|---|---|---|
| @larcjs/core | 1.1.x | ✅ Yes |
| @larcjs/core | 1.0.x | ✅ Yes |
| @larcjs/core | < 1.0 | ❌ No |
| @larcjs/ui | 1.1.x | ✅ Yes |
| @larcjs/ui | 1.0.x | ✅ Yes |
| @larcjs/ui | < 1.0 | ❌ No |
Security support window: We provide security updates for the current major version (1.x) and the previous minor versions within that major version.
Please do NOT report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in LARC, please follow these steps:
Send details to the maintainers via one of these methods:
Preferred: Use GitHub Security Advisories
- Go to https://github.com/larcjs/core/security/advisories
- Click "Report a vulnerability"
- Fill out the private vulnerability report form
Alternative: Open a security-specific discussion
- Mark it as "Security" category
- We will move it to a private channel immediately
Please provide as much information as possible:
- Type of vulnerability (e.g., XSS, injection, CSRF)
- Affected component(s) (e.g., pan-bus, pan-client, specific UI component)
- Affected version(s)
- Step-by-step reproduction
- Proof of concept (code sample or demo URL)
- Potential impact (what an attacker could do)
- Suggested fix (if you have one)
Example report:
**Vulnerability Type:** Cross-Site Scripting (XSS)
**Affected Component:** pan-markdown-editor v1.1.0
**Description:**
User-supplied markdown content is not properly sanitized before rendering,
allowing arbitrary JavaScript execution.
**Reproduction:**
1. Create a pan-markdown-editor component
2. Insert the following markdown: `[Click me](javascript:alert('XSS'))`
3. Click the rendered link
4. JavaScript executes
**Impact:**
An attacker could inject malicious scripts into markdown content, potentially
stealing user credentials or performing actions on behalf of users.
**Suggested Fix:**
Use DOMPurify or similar library to sanitize HTML output from markdown parser.We aim to respond to security reports according to this timeline:
| Timeframe | Action |
|---|---|
| Within 24 hours | Initial acknowledgment of report |
| Within 3 business days | Preliminary assessment and severity rating |
| Within 7 days | Detailed response with action plan |
| Within 30 days | Fix developed, tested, and released (for critical vulnerabilities) |
| Within 90 days | Fix developed, tested, and released (for non-critical vulnerabilities) |
We follow coordinated disclosure:
- We will work with you to understand and fix the vulnerability
- We will keep you informed of our progress
- We will credit you in the security advisory (unless you prefer anonymity)
- We ask that you do not publicly disclose the vulnerability until we have released a fix
- We will publicly disclose the vulnerability after a fix is released
Typical timeline:
- Day 0: Vulnerability reported privately
- Day 1-3: Acknowledged and assessed
- Day 3-30: Fix developed and tested
- Day 30: Security release published
- Day 30+: Public disclosure with credit to reporter
LARC runs in the browser and relies on browser security features:
Content Security Policy (CSP):
<meta http-equiv="Content-Security-Policy"
content="default-src 'self';
script-src 'self' https://unpkg.com/@larcjs/;
style-src 'self' 'unsafe-inline';">Subresource Integrity (SRI):
<script type="module"
src="https://unpkg.com/@larcjs/core@2.0.0/src/pan.mjs"
integrity="sha384-..."
crossorigin="anonymous"></script>Topic validation:
- Topic names are validated to prevent injection
- Wildcards are restricted (no global wildcards by default)
- Message payloads are not executed as code
Rate limiting:
- Built-in rate limiting prevents message flooding
- Configurable via
rate-limitattribute on<pan-bus>
Example:
<pan-bus
rate-limit="1000"
allow-global-wildcard="false"
max-message-size="1048576"></pan-bus>XSS Prevention:
- Always sanitize user input before rendering
- Use Shadow DOM for encapsulation
- Avoid
innerHTMLwith user-provided content
Example (safe):
// Good - using textContent
element.textContent = userInput;
// Good - sanitizing HTML
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);
// Bad - direct innerHTML with user input
element.innerHTML = userInput; // ❌ XSS vulnerabilityAttribute injection:
- Validate attribute values
- Sanitize before using in DOM manipulation
localStorage/sessionStorage:
- Never store sensitive data (passwords, tokens) in localStorage
- Use httpOnly cookies for authentication tokens
- Encrypt sensitive data before persisting
Example:
// Bad - storing sensitive data
localStorage.setItem('authToken', token); // ❌
// Good - using secure cookies (set by server)
// Set-Cookie: authToken=...; HttpOnly; Secure; SameSite=StrictIf you create LARC components:
- Audit dependencies for vulnerabilities
- Use npm audit regularly
- Pin dependency versions
- Follow OWASP security guidelines
Consideration: All components on a page can publish/subscribe to the PAN bus.
Mitigation:
- Use topic namespacing to isolate components
- Validate message sources in sensitive handlers
- Don't put sensitive data in PAN messages
Consideration: The autoloader dynamically imports JavaScript modules.
Mitigation:
- Only load components from trusted sources
- Use Subresource Integrity (SRI) for CDN components
- Configure CSP to restrict script sources
- Use
resolveComponentto validate component paths
Example:
window.panAutoload = {
resolveComponent: (tag) => {
// Whitelist allowed components
const allowed = ['pan-card', 'pan-button', 'pan-table'];
if (!allowed.includes(tag)) {
throw new Error(`Component ${tag} not allowed`);
}
return `/components/${tag}.mjs`;
}
};Consideration: Shadow DOM provides style encapsulation but not security isolation.
Mitigation:
- Don't rely on Shadow DOM for security boundaries
- Still validate and sanitize inputs
- Use proper authentication/authorization
When contributing to LARC:
-
Never commit secrets:
- API keys, tokens, passwords
- Use environment variables or secure vaults
-
Validate all inputs:
- User-provided data
- Attribute values
- Message payloads
-
Sanitize outputs:
- HTML rendering
- URL construction
- DOM manipulation
-
Review dependencies:
- Run
npm auditbefore committing - Update vulnerable dependencies
- Use minimal dependencies
- Run
-
Write secure tests:
- Test input validation
- Test XSS prevention
- Test authorization checks
| Date | Version | Audit Type | Findings |
|---|---|---|---|
| 2024-11-24 | 1.1.0 | npm audit | 0 critical, 0 high |
| 2024-11-XX | 1.0.2 | npm audit | 0 critical, 0 high |
For security concerns or questions:
- Email: security@larcjs.com
- GitHub Security Advisories: https://github.com/larcjs/core/security/advisories
- GitHub Discussions (mark as Security): https://github.com/larcjs/core/discussions
Thank you for helping keep LARC and its users safe! 🔒