FlyQL is pre-1.0. Security fixes are applied to the latest release only across all language implementations (Go, Python, JavaScript).

Older releases do not receive backports.

Please do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private vulnerability reporting to submit your report. This ensures the details stay confidential until a fix is available.

• Description of the vulnerability
• Steps to reproduce (a minimal FlyQL expression and configuration that triggers the issue)
• Which language implementation is affected (Go, Python, JavaScript, or all)
• Impact assessment if you have one

• Acknowledgement within 7 days
• We will work with you to understand and validate the issue
• A fix will be developed privately and released as a patch
• You will be credited in the release notes unless you prefer otherwise

The following are considered in-scope:

• SQL injection bypasses — any FlyQL expression that produces unsafe SQL output
• AST manipulation that circumvents validation or filtering rules
• Denial of service via crafted expressions (e.g., catastrophic backtracking in regex handling)
• Vulnerabilities in any of the language implementations (Go, Python, JavaScript)

Note on matcher regex safety (Python). The Python matcher's RE2-backed regex/LIKE evaluation is provided by the [re2] extra (pip install flyql[re2]). Without the extra, all regex and LIKE evaluations raise ERR_RE2_MISSING — there is no silent fallback to re (which accepts backreferences and lookahead) by design. Downstream integrators relying on RE2's catastrophic-backtracking guarantees must install the extra and pin google-re2>=1.1. Go uses stdlib regexp (RE2 semantics, always available); JavaScript uses native RegExp (PCRE-ish, not RE2-safe — documented in the matcher docs).

Out of scope:

• Bugs in third-party dependencies (report these upstream, but let us know if they affect FlyQL)
• Issues in the documentation site or playground that do not expose user data