GraphForge is pre-v1.0. The API is still maturing, and only the latest release receives security updates. If you discover a vulnerability, please update to the latest version first.
| Version | Supported |
|---|---|
| Latest (0.3.x) | ✅ |
| Older releases | ❌ |
We will begin supporting multiple versions once a stable v1.0 API is reached.
We take the security of GraphForge seriously. If you discover a security vulnerability, please follow these steps:
Please do not report security vulnerabilities through public GitHub issues.
Use GitHub's private vulnerability reporting:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
Please include as much information as possible:
- Type of vulnerability (e.g., SQL injection, XSS, privilege escalation)
- Full paths of affected source files
- Location of affected code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability
- Suggested fix (if you have one)
- Acknowledgment: We'll acknowledge your report within 48 hours
- Assessment: We'll assess the vulnerability and determine severity
- Timeline: We'll provide an estimated timeline for a fix
- Updates: We'll keep you informed of progress
- Credit: We'll credit you in the security advisory (unless you prefer to remain anonymous)
- Vulnerability confirmed: We verify the issue and assess severity
- Fix developed: A patch is developed and tested
- Advisory drafted: Security advisory prepared (GitHub Security Advisories)
- Release: Patched version released with security notes
- Disclosure: Public disclosure after users have time to update (typically 7 days)
When using GraphForge:
Always validate and sanitize user input before passing to Cypher queries:
from graphforge import GraphForge
db = GraphForge()
# ❌ DON'T: Direct user input in queries (injection risk)
user_input = request.form['name']
db.execute(f"MATCH (n:Person {{name: '{user_input}'}}) RETURN n")
# ✅ DO: Use parameterized queries or validate input
db.execute("MATCH (n:Person) WHERE n.name = $name RETURN n", {"name": user_input})Protect your database files:
# Set restrictive permissions on database files
chmod 600 mydata.dbAlways use transactions for write operations:
db.begin()
try:
# Your operations
db.commit()
except Exception:
db.rollback()
raiseKeep dependencies updated:
# Check for vulnerabilities
pip install safety
safety check
# Update dependencies
uv sync --upgradeGraphForge uses SQLite for persistence:
- File-based: Database files should have appropriate permissions
- No network security: SQLite doesn't have built-in network security
- Single-user: Not designed for concurrent multi-user access
- No query timeout: Long-running queries can cause DoS
- No resource limits: No built-in limits on memory/CPU usage
- No access control: No user authentication/authorization system
- MessagePack: Uses msgpack for serialization (ensure trusted data only)
Security scanning is configured in CI:
# Run security checks locally
bandit -c pyproject.toml -r src/Automated dependency updates via Dependabot:
# Manual security audit
pip install safety
safety check- Coordinated disclosure: We follow responsible disclosure practices
- Public disclosure timeline: 90 days from initial report or when patch is released
- CVE assignment: We'll request CVEs for significant vulnerabilities
- Security advisories: Published on GitHub Security Advisories
We believe in recognizing security researchers who help improve GraphForge. With your permission, we'll:
- Credit you in security advisories
- Mention you in release notes
Last Updated: 2026-05-06
Thank you for helping keep GraphForge secure!