@deapi/ai-sdk-provider is the community/official AI SDK provider for deAPI. We take
security seriously and appreciate responsible disclosure.
This package follows semantic versioning. Security fixes are provided only for the latest published minor release line.
| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2.0 | ❌ |
Scope: image generation, embeddings, speech (text-to-speech), and transcription (speech-to-text). LLM/chat/tool-calling, image editing (inpainting), and video-via-AI-SDK are out of scope.
Do not open a public GitHub issue for security vulnerabilities.
Please report privately through one of the following channels:
- GitHub Private Security Advisory (preferred): Use the "Report a vulnerability" button under the Security tab of this repository.
- Email:
security@deapi.ai
Please include, where possible:
- A description of the vulnerability and its impact.
- Steps to reproduce (a minimal proof-of-concept is ideal).
- Affected version(s) of the package.
- Any suggested remediation.
| Stage | Target |
|---|---|
| Acknowledgement of receipt | Best effort |
| Security (P0) triage | 1 business day |
| Fix / mitigation / coordinated release | Communicated at triage |
We aim to keep you informed throughout the process and will coordinate a disclosure timeline with you. We do not operate a paid bug-bounty program.
The deAPI API key (prefix dpn-sk-) is your secret. This package is designed so that:
- The key is read lazily, per request — importing or constructing the provider never reads it.
- The key is supplied via the
DEAPI_API_KEYenvironment variable orsettings.apiKey, and is sent only as aBearertoken to the configuredbaseURL. - The Bearer key is never placed into thrown error objects or logs by this package.
Your responsibilities as a user:
- Never commit your API key to source control, and never embed it in client-side or public code.
- Be careful when logging errors. Errors thrown by this package are
APICallErrorinstances that may carryresponseBodyandrequestBodyValues(which can include your prompt or input). Do not blindly log full error objects in environments where that data could leak. - Rotate any key that may have been exposed, and prefer secret managers / environment injection over hard-coded values.
Thank you for helping keep deAPI and its users safe.