Security fixes are applied to the latest code on the default branch.
Older snapshots, forks, and unmaintained branches are not guaranteed to receive security updates.
If you discover a security issue:
- Do not open a public issue with exploit details.
- Report it privately through GitHub Security Advisories (preferred) or direct maintainer contact.
- Include:
- affected provider/module
- reproduction steps
- impact description
- proof-of-concept data (minimal and safe)
- Acknowledgement target: within 72 hours
- Initial triage: severity + affected scope
- Fix plan: patch, tests, and release/update notes
- Coordinated disclosure after mitigation is available
This project performs network requests to third-party subtitle providers. Security considerations include:
- parser safety on untrusted HTML/JSON inputs
- archive/file handling from remote sources
- terminal output safety for untrusted strings
- secret/environment variable handling in local runtime