| Version | Supported |
|---|---|
| Latest | ✅ |
| Previous major | ✅ |
| Older versions | ❌ |
Please do not disclose security issues in public GitHub issues or discussions.
Report vulnerabilities by opening a GitHub issue using the Security Report template:
- Go to Issues → New Issue.
- Select Security Report.
- Fill in the structured fields — describe the vulnerability without including:
- Live AWS access keys, secret access keys, or session tokens
- Actual secret values from your Secrets Manager
- Private keys or credentials
- Any sensitive material not strictly necessary to understand the problem
Issues created with the Security Report template are visible to repository maintainers only.
You can expect:
- Initial acknowledgement: Within 2–3 business days
- Assessment & fix: Depending on severity:
- Critical: Fix released within 1–2 weeks
- High: Fix released within 1 month
- Medium/Low: Fix released in next planned release (typically 1–2 months)
When using this library:
- Use IAM roles / Instance profiles — Never embed AWS credentials in code or configuration files
- Principle of least privilege — Grant only the minimum required IAM permissions (
secretsmanager:GetSecretValue, etc.) - Encrypt in transit — The library uses HTTPS by default; ensure TLS verification is enabled
- Monitor access — Enable CloudTrail and AWS Secrets Manager access logging
- Rotate credentials — Regularly rotate secrets stored in AWS Secrets Manager
- Update the package — Keep the library up to date to receive security fixes
- The library does not perform client-side encryption of secrets after retrieval — ensure your application handles sensitive values securely
- AWS Secrets Manager enforces API rate limits; see AWS documentation
- IAM policies are the primary security boundary; the library enforces no additional validation on secret names or values