Ensure that your private key - which you might enter in the private .env file to use specific features of this package - always stays private. To do so please ensure the .env file is never commited / pushed to your remote repository (see .gigignore) and also check the code of this package and its dependencies. The more reasonable people check this on a regular basis, the more secure this package can be.
If you found a potential security vulnerability, please raise a general issue without revealing the vulnerability itself. Just mention that you want to get in touch regarding a potential security vulnerability and let us know how we can contact you.
In order to protect your project from potentially questionable dependencies of dependencies of dependencies ... we recommend to take a look at this issue describing the general postinstall exploit.
We did not trigger any audits yet. The plan is to do so as soon as this package has a strong adoption and contributor base. We will then trigger audits via Zeppelin Solutions and publish the Zeppelin Solutions Audit Report.