Email security@hypermemory.io with details. Do not open a public issue.
We aim to acknowledge within 48 hours and patch within 7 days for critical issues.
@runstack-ai/hypermemory-core,@runstack-ai/hypermemory-visualizer-core,@runstack-ai/hypermemory-react,@runstack-ai/hypermemory-sveltepackages.- The
skill/SKILL.mdagent integration file.
- The HyperMemory API itself — report API vulnerabilities directly to security@hypermemory.io.
- Third-party peer dependencies (
@cosmograph/cosmograph,3d-force-graph,three,react,svelte).
- Never expose
hm_*API keys in browser-shipped code. All authenticated calls should originate from server-side code. - Treat
error.bodyon thrown errors as opaque — log it, but don't render it to end users (server-side error messages may echo user input). - Validate
to_key/from_keyvalues you accept from untrusted sources before passing tostore/addRelationships.