Worknot follows a rolling release model on the master branch. Only the latest version is supported with security updates.
| Version | Supported |
|---|---|
Latest master |
Yes |
| Older commits | No |
Worknot is a web-based tool that generates Cloudflare Worker scripts to proxy Notion pages on custom domains. Security concerns include:
- Generated Worker code: XSS, injection, or SSRF vulnerabilities in the output
- Frontend application: Vulnerabilities in the React UI that could affect users
- Dependencies: Known vulnerabilities in third-party packages
- Notion's own security (report to Notion)
- Cloudflare Workers platform (report to Cloudflare)
- User-provided custom scripts/CSS (injected intentionally by the site owner)
If you discover a security vulnerability in Worknot, please report it responsibly:
- Open a GitHub Security Advisory at https://github.com/classmethod/worknot/security/advisories/new
- Include a clear description of the vulnerability and steps to reproduce
- Allow reasonable time for a fix before public disclosure
- Acknowledgment: Within 5 business days
- Status update: Within 10 business days
- Fix timeline: Depends on severity; critical issues are prioritized
We appreciate responsible disclosure and will credit reporters (unless anonymity is preferred).