Files
wehub-resource-sync 3e076d4dd9
Deploy Worker / deploy (push) Failing after 1s
Shellcheck / Check shell scripts (push) Failing after 1s
CI / Build Packages (amd64 - appimage) (push) Has been skipped
CI / Build Packages (amd64 - deb) (push) Has been skipped
CI / Build Packages (amd64 - rpm) (push) Has been skipped
CI / Build Packages (arm64 - appimage) (push) Has been skipped
CI / Build Packages (arm64 - deb) (push) Has been skipped
CI / Test Flags Parsing (push) Failing after 1s
BATS Tests / BATS unit tests (push) Failing after 1s
CI / Build Packages (arm64 - rpm) (push) Has been skipped
CI / Test Build Artifacts (amd64) (push) Has been skipped
CI / Test Build Artifacts (arm64) (push) Has been skipped
CI / Update APT Repository (push) Has been cancelled
CI / Mirror Official .deb to Release (push) Has been cancelled
CI / Update DNF Repository (push) Has been cancelled
CI / Update AUR Package (push) Has been cancelled
CI / Create Release (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:29:21 +08:00

1.8 KiB

Security Policy

Report suspected vulnerabilities privately via GitHub Security Advisories. Do not open a public issue or post details in Discussions.

Scope

This project repackages an upstream Electron app. The boundary matters:

In scope — things this repo ships:

  • Patches in scripts/patches/*.sh
  • Packaging scripts in scripts/packaging/
  • The launcher (scripts/launcher-common.sh) and the claude-desktop --doctor surface
  • CI workflows under .github/workflows/
  • The APT/DNF Cloudflare Worker under worker/
  • The frame-fix wrapper and any other JS we inject into app.asar

Out of scope — file upstream:

  • Vulnerabilities in the Claude Desktop application itself, the Anthropic API, or the claude.ai web app. Those go to Anthropic's support / disclosure channels — not here. This project can't fix them and shouldn't be the public record.

What to include in a report

  • Reproducer: commands, environment, distro / desktop / session type
  • Output of claude-desktop --doctor if relevant
  • Affected version(s) — git describe --tags or the release tag you installed from
  • Any related upstream CVEs or advisories you found while investigating

Response

GitHub Advisories notify @aaddrick. Acknowledgement is usually within a few days. Fix turnaround depends on the surface — packaging-layer bugs are usually fast; patches against minified upstream JS may need to wait for a tractable anchor in a future upstream release.

Disclosure history

Past privacy-sensitive fixes (e.g., issue-triage bot scoping, log redaction in --doctor output) landed through the normal PR flow with public history; there have been no embargoed disclosures to date. If that changes, this section gets entries with the advisory ID, the affected versions, and the fix.