We actively support the following versions of duratypes with security updates:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take the security of duratypes seriously. If you discover a security vulnerability, please follow these steps:
- Do NOT create a public GitHub issue for security vulnerabilities
- Email maintainers with details about the vulnerability
- Include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes or mitigations
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Initial Assessment: We will provide an initial assessment within 5 business days
- Updates: We will keep you informed of our progress throughout the investigation
- Resolution: We aim to resolve critical vulnerabilities within 30 days
- We follow responsible disclosure practices
- We will coordinate with you on the timing of public disclosure
- We will credit you for the discovery (unless you prefer to remain anonymous)
- We may request that you keep the vulnerability confidential until we have released a fix
When using duratypes in your applications:
- Input Validation: Always validate duration strings from untrusted sources
- Error Handling: Implement proper error handling for invalid duration formats
- Dependencies: Keep duratypes and its dependencies up to date
- Monitoring: Monitor for unusual parsing patterns that might indicate malicious input
- duratypes validates input formats strictly to prevent injection attacks
- Invalid formats raise
ValueErrorexceptions rather than failing silently - Regex patterns are designed to be safe against ReDoS (Regular Expression Denial of Service) attacks
- duratypes has minimal dependencies (only pydantic >=2.5)
- We regularly review and update dependencies for security vulnerabilities
- All dependencies are pinned to specific version ranges
Security updates will be:
- Released as patch versions (e.g., 0.1.1 → 0.1.2)
- Documented in the CHANGELOG.md
- Announced through GitHub releases
- Tagged with security labels for easy identification
- For security-related questions or concerns, please contact the maintainers through the project's GitHub repository. This security policy is reviewed and updated regularly to ensure it meets current best practices.