Do NOT file public GitHub issues for security vulnerabilities.

Report privately via GitHub Security Advisories.

Include: extension version, SVN version, OS, steps to reproduce, and potential impact.

This extension collects zero user data. No telemetry, analytics, tracking, or crash reporting.

All operations are local. The only external requests are to your configured SVN repository. Author avatars are generated locally (letter-based, no network calls).

Open source — verify: grep -rE "telemetry|analytics|posthog|segment" src/ package.json

• SVN credential cache: Stored in ~/.subversion/auth/svn.simple/ (mode 600). Never passed via CLI arguments.
• OS keychain: macOS Keychain, Windows Credential Manager, or Linux Secret Service (encrypted).
• SSH keys: Recommended. Managed by SSH agent, never exposed to extension code.

All error messages are sanitized before logging — passwords, tokens, paths, URLs, and IP addresses are redacted. Debug mode (svn.debug.disableSanitization: true) temporarily disables this; disable immediately after use.

1. Use SSH (svn+ssh://) or HTTPS — avoid plain HTTP
2. Keep svn.debug.disableSanitization set to false
3. Keep your SVN client updated
4. In CI/CD, use SSH keys — never --password flags

• Unit tests for credential handling, error sanitization, and XML injection prevention
• Static analysis via ESLint security rules
• Dependency scanning via npm audit

• Vulnerabilities: Security Advisories
• Questions: GitHub Issues