├── LICENSE
└── SECURITY.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2025 Svelte
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
 1 | # Security Policy
 2 | 
 3 | ## Reporting a Vulnerability
 4 | 
 5 | To report a vulnerability, please privately report it via the Security tab on the correct GitHub repository ([see documentation](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Do not open a public issue. Provide:
 6 | 
 7 | - A clear description of the issue
 8 | - Steps to reproduce
 9 | - Expected vs actual behavior
10 | - Potential impact
11 | - A proof of concept if possible
12 | - Affected commit / version (if known)
13 | 
14 | ## Acknowledgment Timeline
15 | 
16 | We aim to acknowledge receipt of a valid report within 1 week.
17 | 
18 | ## Resolution Timeline
19 | 
20 | We aim to provide a remediation plan or decision within 4 weeks. Actual fix time may be shorter or longer depending on severity, complexity, and scope.
21 | 
22 | ## Scope & Threat Model
23 | 
24 | In scope:
25 | 
26 | - Vulnerabilities introduced by code in this repository
27 | - Supply-chain risks caused by how this repository consumes or distributes its own code (e.g. insecure Github Actions)
28 | 
29 | Out of scope:
30 | 
31 | - Issues only present in third-party dependencies (please report those upstream)
32 | - Issues that can only be exploited when the underlying platform (browser, server runtime) is compromised
33 | - Using untrusted user content without sanitization in places that are not explicitly sanitized by the framework (for example in Svelte putting user content into `{@html ...}` is unsanitized, `{...}` is sanitized insofar as the content cannot alter the HTML structure to e.g. insert script tags)
34 | - Denial of service via excessive legitimate use
35 | 
36 | ## Disclosure
37 | 
38 | Please keep reports private until a fix is released and a Security Advisory is public.
39 | 


--------------------------------------------------------------------------------