Doccupine is published to npm and released frequently. Security fixes are issued only for the latest published version. Before reporting an issue, please upgrade to the newest release and confirm it still reproduces:
npx doccupine@latest --version| Version | Supported |
|---|---|
| Latest release | ✅ |
| Older releases | ❌ |
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Use one of these private channels instead:
- GitHub private advisories (preferred) - open a report at https://github.com/doccupine/cli/security/advisories/new. This keeps the details private until a fix is released.
- Email - team@doccupine.com
Please include:
- A description of the vulnerability and its impact
- Steps to reproduce, ideally a minimal proof of concept
- The Doccupine version (
npx doccupine --version) and your environment - Any suggested remediation
- We will acknowledge your report within 3 business days.
- We will confirm the issue, assess its severity, and keep you updated on progress.
- Once a fix ships, we will credit you in the release notes unless you prefer to stay anonymous.
Doccupine is a CLI that generates a Next.js application you run and host yourself. A few points matter when assessing the security surface:
- API keys and secrets - the generated app reads provider keys (
OPENAI_API_KEY,ANTHROPIC_API_KEY,GOOGLE_API_KEY), an optionalDOCS_API_KEY, and an optionalSITE_PASSWORDfrom environment variables. These belong in the generated app's.envfile, which is git-ignored by default. Never commit real keys. - MCP endpoint - the
/api/mcproute requires a bearer token only whenDOCS_API_KEYis set. IfDOCS_API_KEYis not set, the endpoint is publicly accessible with no authentication. SetDOCS_API_KEYbefore exposing the generated site publicly. - Site password -
SITE_PASSWORDgates the whole site behind a single shared password. It is a lightweight access gate, not a substitute for per-user authentication. - Generated output - review generated code before deploying to production, especially if you customize templates.
Reports about the Doccupine CLI itself and about insecure defaults in the code it generates are both in scope. Vulnerabilities in third-party dependencies should be reported upstream, but we welcome a heads-up so we can bump versions promptly.