Security advisories
Published CVEs and security fixes for grith.
Published security advisories for grith. Subscribe to the RSS feed at
/changelog.xml to be notified of new advisories.
How to subscribe
- RSS —
https://docs.grith.ai/changelog.xml. Filter the feed forcategory=securityto get advisories only. - GitHub Security Advisories — at github.com/grith-ai/grith/security/advisories.
- Mailing list — sign up at grith.ai/security/announce.
Current advisories
ℹ️No advisories yet
No security advisories have been published against grith to date (current release: v0.1.4, May 2026). When the first one ships, it will appear here with a CVE identifier, affected versions, and remediation steps.
Advisory format
Each advisory will include:
- Identifier —
GHSA-...orCVE-.... - Severity — CVSS v3.1 score and rating.
- Affected versions — version range.
- Fixed in — the version that contains the patch.
- Description — what the issue is.
- Impact — what an attacker could do.
- Reproduction — minimal PoC (published only after the fix is widely available).
- Mitigation — workarounds for users who can't upgrade immediately.
- Credit — researcher acknowledgement (if they accepted credit).
- Timeline — report date, fix date, disclosure date.
Patching policy
- Critical (CVSS ≥ 9.0) — patch released within 7 days of confirmation.
- High (CVSS 7.0–8.9) — within 30 days.
- Medium (CVSS 4.0–6.9) — included in the next planned release.
- Low (CVSS < 4.0) — fixed when convenient.
Update notification
grith checks for updates daily by default (general.update_check = true).
When an update is available, a one-line notice appears at REPL start and
daemon start. Security updates are flagged separately so you can tell "this
is a security patch" from "this is a feature release".
To disable update checks:
[general]
update_check = false
(Disable only if you have an alternative notification mechanism — air-gapped deployments etc. should subscribe to the RSS feed or mailing list instead.)