This repository is a personal Neovim configuration. It contains no server components, no network services, and no credential handling in its own code. Security concerns here are limited to:
- Plugin supply chain — plugins are fetched by
vim.packfrom GitHub over HTTPS. Commit hashes are locked innvim-pack-lock.json. - LSP server execution — LSP binaries are resolved from
$PATHat startup. A malicious binary on$PATHwould run with your privileges. - REST client (
plugins/rest.lua) — reads local.envfiles and passes their values as curl arguments. A malicious.envfile in a project could inject curl flags. lua/config/local.lua— executed as Lua on startup. This file is intentionally gitignored; do not commit sensitive values here and do not accept alocal.luafrom an untrusted source.- External tool execution —
git,fd,rg,fzf,prettierd,ionice, and LSP servers are spawned viavim.system. Only tools resolved from$PATHby name are invoked.
If you find a security issue (e.g. a vector for remote code execution through the REST client, a plugin loading issue, or an unsafe default that could affect other users), please:
- Do not open a public issue.
- Open a GitHub Security Advisory on this repository (Settings → Security → Advisories → New draft advisory).
- Include:
- A description of the issue and the affected component
- Steps to reproduce
- Potential impact
- A suggested fix if you have one
I will respond as quickly as practical. There are no SLA commitments for a personal config.
The latest tagged release and the current master branch are supported.
Older releases do not receive security maintenance.
Plugins are pinned by commit hash in nvim-pack-lock.json. Before running
:packupdate on a machine you care about, review the diff to nvim-pack-lock.json
and inspect any changed plugin source if it handles untrusted data.
To audit current plugin URLs and locked commits:
cat nvim-pack-lock.jsonTo check for known vulnerabilities in npm-installed LSP servers (if you use
npm install -g for servers like vtsls or bash-language-server):
npm auditeval/loadstringin plugins: not used in this config's own Lua code.- Clipboard access: system clipboard is only accessed on explicit user
action (
\y,\p). Theclipboardoption is intentionally unset. - Network requests: only made by
vim.pack(plugin install/update, over HTTPS) and the REST client (plugins/rest.lua, on explicit user invocation). No telemetry, no automatic outbound connections.