32 lines
1.1 KiB
Markdown
32 lines
1.1 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| --- | --- |
|
|
| Latest port workspace | Yes |
|
|
|
|
## Reporting A Vulnerability
|
|
|
|
Report security issues privately to the repository owner.
|
|
|
|
Do not include secrets, private credentials, server tokens, private modpack data, or production server data in public issues.
|
|
|
|
## Project Security Principles
|
|
|
|
- Keep secrets, tokens, `.env` files, certificates, private keys, and local server credentials out of the repository.
|
|
- Keep Minecraft run data, logs, local worlds, and generated build outputs out of version control.
|
|
- Document external dependency repositories in Gradle build files.
|
|
- Build release artifacts reproducibly with the Gradle Wrapper and Java 21.
|
|
- Run dependency review and release checks before publishing artifacts.
|
|
|
|
## Current Scope
|
|
|
|
The active mod changes Create Hose Pulley fluid-draining behavior through NeoForge configuration and mixins. Security review should focus on:
|
|
|
|
- unexpected file writes,
|
|
- unsafe external network calls,
|
|
- accidental inclusion of local worlds or logs,
|
|
- dependency and loader version drift,
|
|
- release artifact contents.
|