If you discover a security vulnerability in pgpipe, please report it responsibly using GitHub Security Advisories:
- Go to https://github.com/RobertoGongora/pgpipe/security/advisories/new
- Fill in the advisory details
- Submit the report
Please do not open a public issue for security vulnerabilities.
- We will acknowledge your report within 7 days.
- We will provide an estimated timeline for a fix.
- We will notify you when the vulnerability is fixed.
- We will credit you in the release notes (unless you prefer to remain anonymous).
This policy applies to the pgpipe codebase and its official releases. It does not cover:
- Vulnerabilities in upstream dependencies (report those to the respective projects)
- Vulnerabilities in MySQL or PostgreSQL themselves
- Issues with user-provided configuration or credentials
| Version | Supported |
|---|---|
| Latest release | Yes |
| Older releases | Best effort |
- Store database passwords in environment variables or
.envfiles, not in YAML config files. - Restrict file permissions on
.pgpipe/config.yamland.env(they may contain credentials). - Use
PGSQL_SSLMODE=requirewhen connecting to hosted PostgreSQL providers over the internet.