Open the repository security page
Use GitHub’s private advisory workflow when available.
Include in the report
Provide:- affected Jolter version and platform;
- minimal reproduction;
- trust-boundary assumptions;
- observed behavior;
- expected behavior;
- whether untrusted network, archive, project, plugin, registry, or filesystem input is required;
- whether the issue affects installation, shims, diagnostics, cache, plugin resolution, or CI.
Current guarantees
Jolter is designed so:- release metadata and artifacts are fetched over HTTPS;
- redirects to non-HTTPS URLs are rejected;
- runtime and tool archives are verified before extraction;
- plugin WASM artifacts are verified before installation;
- archive paths, links, entry counts, and extracted sizes are constrained;
- installations are staged and then published atomically;
- concurrent metadata and installation publication is locked;
- cache cleanup is coordinated with active installation operations;
- downloaded runtimes are not executed during installation;
- telemetry is not implemented.