| Version | Supported |
|---|---|
| 0.3.x | Yes |
| < 0.3 | No |
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public GitHub issue.
- Use GitHub Security Advisories to report privately.
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work on a fix promptly.
Since v0.3.0, the CLI encrypts private keys at rest using AES-256-GCM with scrypt KDF. Keys are stored in ~/.republic-sdk/keys.json with file permissions set to 0600 (owner-only access). For production use, consider:
- Hardware wallets or HSM integration
- Environment variable-based key injection
- Dedicated secret management (Vault, AWS KMS, etc.)
- Cryptographic operations use audited libraries:
@noble/secp256k1and@noble/hashes - Dependencies are monitored via Dependabot for known vulnerabilities
- No native addons — pure JavaScript/TypeScript implementation
- All default endpoints use HTTPS
- The SDK supports custom RPC/REST endpoints for private node connections
- Network calls include retry logic with exponential backoff