Mikk follows semantic versioning. Security fixes are backported to the current stable release only.
| Version | Security Updates |
|---|---|
Latest stable (npm install -g @getmikk/cli) |
✅ Yes |
| Older versions | ❌ No — update to latest |
If you find a security issue in Mikk, please do not open a public GitHub issue.
Report privately via:
- GitHub: Use the Security Advisories tab (preferred)
- Email: security@getmikk.dev (if the repo link is unavailable)
Please include:
- A description of the vulnerability
- Steps to reproduce
- The affected version (
mikk --version) - Any suggested mitigations
You can expect an acknowledgement within 48 hours and a status update within 7 days.
Mikk is a local-only tool. All analysis runs on your machine:
- No telemetry. No data is sent to external servers.
- No cloud storage.
mikk.lock.jsonand all artifacts stay on your filesystem. - File access is path-guarded. The MCP server only reads files inside the declared
projectRoot. Path traversal attempts are rejected. - Semantic search embeddings are computed locally via
@xenova/transformersif installed. No API keys required.
The security scanner (mikk_security_scan / mikk security-scan) is a static pattern matcher. It is not a substitute for a professional security audit.