Security updates target the latest main branch and the latest tagged release.

Please report suspected vulnerabilities through GitHub Security Advisories or by opening a private report with the maintainers. Do not disclose exploitable details in public issues before maintainers have had a chance to investigate.

Include:

• affected version or commit
• reproduction steps
• expected and actual behavior
• impact assessment
• any known workaround

WeBase Admin Template includes frontend route guards, permission guards, mock sessions, and HTTP adapter contracts. These are template conveniences, not a replacement for backend security.

Production deployments must enforce authentication, authorization, data-scope checks, audit logging, session expiry, CSRF protection where applicable, and rate limiting on the backend.

Run:

npm audit --omit=dev

The project pins PostCSS through npm overrides so transitive consumers use a patched release. Track upstream Next.js releases and remove the override once Next depends on a patched PostCSS version directly.