| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability in shelfr, please report it responsibly:
- Do NOT open a public GitHub issue for security vulnerabilities
- Email the maintainers directly or use GitHub's private vulnerability reporting feature
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide a more detailed response within 7 days.
shelfr handles sensitive information that should never be committed to version control:
| Data | Location | Risk |
|---|---|---|
| qBittorrent credentials | config/.env |
Unauthorized access |
| API keys | config/.env |
Service abuse |
- Never commit
.envfiles - They are gitignored by default - Use environment variables in production/containerized deployments
- Restrict file permissions on config files:
chmod 600 config/.env - Review
config.yamlbefore committing - ensure no secrets are embedded - Use separate credentials for shelfr vs your main accounts when possible
For Unraid/Linux deployments:
# Restrict access to secrets
chmod 600 config/.env
chmod 600 config/config.yaml
# Ensure proper ownership
chown $USER:$USER config/.env config/config.yamlIf running in Docker:
- Mount config files as read-only when possible
- Use Docker secrets for sensitive values
- Don't expose qBittorrent WebUI to the internet without authentication
We regularly update dependencies to patch known vulnerabilities. Run:
pip install --upgrade -e ".[dev]"To check for known vulnerabilities in dependencies:
pip install pip-audit
pip-audit