If you discover a security vulnerability in Twining, please report it through GitHub Security Advisories.
Do not open a public issue for security vulnerabilities.
The following are in scope:
- The Twining MCP server (
src/) - The Claude Code plugin (
plugin/) - The web dashboard (
src/dashboard/) - File storage and locking mechanisms
- Any data exposure through the MCP protocol
- Acknowledgment: Within 48 hours
- Resolution target: Within 14 days for confirmed vulnerabilities
- Disclosure: Coordinated disclosure after a fix is available
Only the latest published version on npm receives security updates.
| Version | Supported |
|---|---|
| Latest | Yes |
| Older | No |