Only the latest minor release receives security updates.

Do not open a public GitHub issue for security reports.

Please use GitHub's private vulnerability reporting: https://github.com/ochairo/databehave-kit/security/advisories/new

Include:

• A short description of the issue and its impact.
• Steps to reproduce (a minimal failing databehave.config.jsonc + HTTP request is ideal).
• Affected version(s) and Node.js version.
• Any suggested fix or mitigation.

We aim to acknowledge reports within 3 business days and to publish a patched release within 14 days of a confirmed report.

databehave-kit is a development / testing tool intended to run inside trusted environments (local dev, CI, internal staging). The main attack surfaces we care about are:

• Path-traversal in the JSONC endpoints map causing handler imports outside the config directory.
• Unbounded CPU / memory consumption when parsing crafted OpenAPI documents (DoS in build pipelines).
• CORS misconfiguration enabling cross-origin reads of mock data when databehave-kit is reachable from a browser.
• Determinism bugs in the OpenAPI walker (same OAS + same seed → different output) — correctness issue with security impact for test reproducibility.

Issues outside this scope (e.g. behaviour of user-supplied handler modules, production deployments of databehave-kit) should be reported to the relevant project. databehave-kit is not designed to face the public internet.

The databehave.config.json / .jsonc file is executed, not just parsed:

• Every endpoints[*].handler string is passed to a dynamic import(). Absolute paths are honoured verbatim, so a config that points at /etc/passwd.js will attempt to load whatever the running process has read access to — and a .js file under node_modules/ could run on load.
• openapi is readFile'd relative to the config directory; the path is not sandboxed.
• $(ENV_VAR) interpolation in the JSON pulls from process.env, including secrets if a secret is named there.

Treat the config file like source code:

• Only load configs you authored or audited; never accept one from an untrusted source (HTTP upload, untrusted contributor PR, etc).
• Avoid running databehave-kit as a privileged user or with broad filesystem access.
• Use the handlers option (loadDataBehaveKitJsonConfig(path, { handlers })) in test environments to pin every handler to a vetted in-process implementation and bypass dynamic import() altogether.