We provide security updates only for version 4.0.0 and above. Versions below 4.0.0 are no longer supported and will not receive security patches.
| Version | Supported |
|---|---|
| 4.x.x | ✅ |
| < 4.0.0 | ❌ |
Note: If you are using a version below 4.0.0, we strongly recommend upgrading to the latest 4.x.x version to receive security updates and bug fixes.
We take the security of om-data-mapper seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them using one of the following methods:
-
GitHub Security Advisories (Preferred)
- Navigate to the Security tab of this repository
- Click "Report a vulnerability"
- Fill out the form with details about the vulnerability
-
Email
- Send an email to: aleksandr.melnik.personal@gmail.com
- Include the word "SECURITY" in the subject line
- Provide a detailed description of the vulnerability
Please include the following information in your report:
- Type of vulnerability (e.g., XSS, SQL injection, code injection, etc.)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability, including how an attacker might exploit it
- Initial Response: We will acknowledge receipt of your vulnerability report within 48 hours
- Status Update: We will send you regular updates about our progress, at least every 5 business days
- Resolution: We aim to resolve critical vulnerabilities within 30 days of the initial report
After you submit a report, we will:
- Confirm the problem and determine affected versions
- Audit code to find any similar problems
- Prepare fixes for all supported versions
- Release new versions and publish a security advisory
- We request that you give us reasonable time to address the vulnerability before any public disclosure
- We will credit you in the security advisory (unless you prefer to remain anonymous)
- We will keep you informed about our progress toward a fix
When we release a security update:
- We will publish a GitHub Security Advisory
- We will release a new version with the fix
- We will update the CHANGELOG.md with security fix details
- We will notify users through GitHub releases and npm
When using om-data-mapper:
- Always use the latest version to ensure you have the latest security patches
- Review the CHANGELOG.md for security-related updates
- Enable Dependabot or similar tools to get notified of security updates
- Follow the principle of least privilege when processing untrusted data
- Validate and sanitize all input data before mapping
This library uses dynamic code generation (new Function()) for performance optimization. Mapping configurations MUST come from trusted sources only.
// ✅ SAFE: Developer-defined configuration
const userMapper = Mapper.create({
name: 'user.fullName',
email: 'user.email'
});
// ✅ SAFE: Using Decorator API (recommended)
@Mapper()
class UserDTO {
@Map('user.fullName')
name: string;
}// ❌ DANGEROUS: User input as mapping config
const userConfig = JSON.parse(request.body.mappingConfig);
const mapper = Mapper.create(userConfig); // CODE INJECTION RISK!
// ❌ DANGEROUS: External untrusted source
const externalConfig = await fetch('https://untrusted-api.com/config');
const mapper = Mapper.create(externalConfig); // CODE INJECTION RISK!Why this matters: If an attacker can control the mapping configuration, they could inject arbitrary JavaScript code that executes with your application's privileges.
Recommended approach: Use the Decorator API (@Mapper, @Map, @Transform) which is compile-time safe and provides better performance (112-474% faster).
See the class documentation and docs/DECORATOR_API.md for more details.
If you have suggestions on how this process could be improved, please submit a pull request or open an issue.
Thank you for helping keep om-data-mapper and its users safe!