If you discover a security vulnerability in this repository, please do not open a public issue. Use the private channel below so we can triage and fix it before public disclosure.
Only the latest commit on the main branch is actively maintained. Older commits are not patched — please repin or rebase before reporting.
Report privately through GitHub Security Advisories.
Please include:
- Type of issue (XSS, RCE, info disclosure, supply chain, DoS, …)
- A short description and impact assessment
- Steps to reproduce
- The affected commit or version
- Whether it has already been disclosed publicly
- Acknowledgement: within 72 hours
- Triage and severity: within 7 days
- Fix: depends on severity (critical → days; low → weeks)
- Public disclosure: coordinated, after a fix is available
- Vulnerabilities in upstream dependencies (Next.js, Fumadocs, Tailwind, lucide-react, …) — please report directly to the affected project.
- Issues in user forks of this template — these are the adopter's responsibility.
- Anything that is not a security issue — please use the regular issue templates.
When you fork this template to host your own docs, consider enabling:
- Dependabot security updates — add
.github/dependabot.ymlwithpackage-ecosystem: npm(orpnpm) and a sensible schedule. - GitHub CodeQL — free on public repos, under the Security tab.
- Secret scanning + push protection — GitHub repository settings.
- Security headers — extend
next.config.mjswithheaders()forContent-Security-Policy,Strict-Transport-Security,X-Frame-Options,Referrer-Policy, andPermissions-Policy. - Lockfile pinning in CI — already enforced here via
pnpm install --frozen-lockfilein the lint, types, and build workflows. - A private package proxy if you publish internal packages consumed by your fork.
These are not required to use the template, but they significantly reduce the attack surface of any deployed documentation site.