If you discover a security vulnerability in safe-tag, please report it by emailing scarlet. moore@outlook.com.au.

If you prefer not to use email, you can also report privately via GitHub Security Advisories ("Report a vulnerability" on the repository Security tab).

Please do not open a public issue for security vulnerabilities.

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any suggested fixes (if available)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Fix Development: Within 2 weeks for critical issues
• Release: Coordinated disclosure after fix is available

safe-tag is designed with security in mind:

• No eval() or Function() usage: Pure JavaScript implementation
• Defensive programming: Handles hostile objects gracefully
• Minimal attack surface: Zero runtime dependencies
• Type safety: Full TypeScript coverage prevents many classes of bugs
• Memory safety: No direct memory manipulation or unsafe operations

1. Revoked Proxy Protection: Safely handles revoked proxies without crashing
2. Malicious Getter Mitigation: Isolates and contains throwing Symbol.toStringTag getters
3. State Restoration Guarantees: Ensures objects are returned to original state or operation fails cleanly
4. Cross-Realm Safety: Handles objects from different JavaScript execution contexts
5. No Side Effects: Read-only operations that don't modify global state

When using safe-tag in security-sensitive contexts:

• Use the default safeTag export for maximum protection
• Consider fastTag only in controlled environments with trusted inputs
• Monitor for unusual performance patterns that might indicate attacks
• Keep dependencies updated using automated tools
• Run regular security audits with npm audit

We appreciate security researchers and will acknowledge responsible disclosure in release notes (unless anonymity is requested).