Closes a cluster of community-profile gaps (#248, #249, #251, #252) in one PR rather than four micro-PRs that all touch the same surface area. ### Templates (#251, #252) - .github/ISSUE_TEMPLATE/bug_report.yml — required fields for repro (plugin version, platform, OS, project language, file count); the four pieces of context that are missing from ~every current bug report. - .github/ISSUE_TEMPLATE/feature_request.yml — leads with the *problem* rather than the proposed solution, which keeps maintainer review focused on whether to solve, not just how. - .github/ISSUE_TEMPLATE/question.yml — separate from bug to keep the bug queue triagable. - .github/ISSUE_TEMPLATE/config.yml — disables blank issues and routes general discussion to README + Discussions. - .github/PULL_REQUEST_TEMPLATE.md — includes the version-bump checklist that CLAUDE.md says must stay in sync across 5 manifests; otherwise every contributor learns this rule by getting their PR bounced. ### Community files - CODE_OF_CONDUCT.md — short, project-specific document that names the expectations and reporting path. Not a verbatim Contributor Covenant to keep it readable. - SECURITY.md — describes the project's local-only threat model explicitly so reporters know what's in / out of scope before they spend time on a writeup. Points at GitHub private vulnerability reporting as the primary channel. ### CI (#249) - ci.yml now also runs on pushes to main, not only PRs. Without this, a direct push to main (which happens when maintainers merge a PR branch locally) doesn't trigger CI, so a regression can land green- looking and stay broken for days. - Added a concurrency group that cancels stale runs for the same ref. Saves runner minutes and keeps the per-ref status meaningful. - Used `github.ref` (a controlled value), not user-controlled input, so no script-injection surface. ### package.json (#248) - Added description, license, repository, bugs, homepage, keywords — the standard set for npm package discoverability and so GitHub's community-profile check shows the project at 100%.
2.0 KiB
Reporting security issues
Thanks for taking the time to disclose responsibly.
How to report
Please use GitHub's private vulnerability reporting on this repository. That keeps the report visible to the maintainer without exposing the details publicly.
If private reporting is unavailable for any reason, open a regular issue
titled security: brief description without any exploit details, and
the maintainer will reply with a private channel.
What to include
- A description of the issue and its potential impact.
- Steps to reproduce — minimal is fine, a full PoC is not required.
- Affected versions if you've narrowed them down.
- Whether you'd like to be credited in the eventual fix.
What to expect
- Initial acknowledgement within a few days.
- A fix or mitigation plan within ~30 days for confirmed issues; longer for cases that require coordinated disclosure with upstream dependencies.
- Public credit once a fix has shipped, if you'd like.
Scope
This project is a local-only static-analysis tool. It runs on a
developer's machine, reads the analyzed project, and writes the resulting
graph to .understand-anything/. It does not phone home and the dashboard's
file-content endpoint is gated behind an access token and a graph-derived
path allowlist.
Issues we care about:
- Code execution triggered by analyzing a hostile project (e.g. a path in a hostile file leaking outside the analyzed directory, or untrusted JSON in the graph being executed by the dashboard).
- The dashboard's file-content endpoint serving files outside the allowlist.
- The
/understandskill running shell commands derived from untrusted paths or contents.
Issues that are out of scope:
- Bugs that require a malicious local user with write access to the analyzed project (they could just edit the source directly).
- Anything that requires the user to copy a malicious URL and paste it back into the dashboard.