If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue
2. Email security@crimson.dev with details
3. Include steps to reproduce if possible
4. Include the package name and version affected
5. You will receive a response within 48 hours

We follow coordinated disclosure. We will credit reporters in the advisory unless they prefer to remain anonymous.

This policy covers:

• modern-cmdk (core engine)
• modern-cmdk/react (React adapter)
• modern-cmdk-search-wasm (WASM search)
• modern-cmdk (codemods) (migration codemods)
• Documentation site (command.crimson.dev)
• Interactive playground

• The WASM search engine requires SharedArrayBuffer for zero-copy mode, which needs cross-origin isolation headers. The engine falls back gracefully to structured clone when headers are absent.
• The codemod CLI executes AST transforms on source files. Only run it on trusted codebases.
• The command palette renders user-provided content (item labels, group headings). Ensure proper sanitization when rendering untrusted content.

• The core package (modern-cmdk) has zero runtime dependencies.
• The React adapter depends on react, react-dom, and radix-ui as peer dependencies.
• We use Dependabot for automated dependency updates and monitor advisories via GitHub's security alerts.

Security patches are released as patch versions and published to npm within 24 hours of a confirmed vulnerability.