Security

Orchestrix is committed to maintaining a secure and resilient library for workflow orchestration.

Supply Chain Security

We take several proactive measures to ensure the security of our supply chain:

• Zero Production Dependencies: Orchestrix is built to be lightweight and does not rely on any third-party production dependencies, significantly reducing the attack surface.
• Automated Updates: We use Dependabot to monitor and update our development dependencies and GitHub Actions.
• Provenance: We recommend and aim for signed builds and npm provenance to verify that the code you run is exactly what we built in our CI.

Security Policy

If you discover a security vulnerability, please follow our Security Policy.

Reporting a Vulnerability

1. Do NOT open a public issue.
2. Report the vulnerability privately via GitHub's "Report a vulnerability" feature or by contacting the maintainer.
3. We will respond and coordinate a fix as soon as possible.

Best Practices for Users

When using Orchestrix in production, we recommend:

1. Input Validation: Use the schema configuration with a library like Zod to validate all inputs before they reach your steps.
2. Secrets Management: Never store secrets or sensitive information directly in the FlowContext if it's being logged or persisted.
3. Execution Limits: Always set timeoutMs on steps that perform network operations to prevent resource exhaustion.