Security
Wire UI takes security seriously. This page outlines our security practices and how to report vulnerabilities.
Reporting Vulnerabilities
If you discover a security vulnerability in Wire UI, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities. Instead:
- Email security@wire-ui.com with a description of the vulnerability
- Include steps to reproduce the issue if possible
- Allow reasonable time for a fix before public disclosure
We aim to acknowledge reports within 48 hours and provide a fix timeline within 7 days.
Security Practices
No runtime dependencies
@wire-ui/react, @wire-ui/vue, and @wire-ui/solid all ship with zero runtime dependencies. The only peer dependency is the host framework itself (React, Vue, or SolidJS). This minimizes the attack surface — there are no transitive dependencies that could introduce supply chain vulnerabilities.
No CSS or external resources
Wire UI ships no CSS, no fonts, no images, and makes no network requests. Components are pure JavaScript/TypeScript. This eliminates entire classes of vulnerabilities related to external resource loading, CSS injection, and CORS issues.
No raw HTML injection
Wire UI components never use React’s dangerouslySetInnerHTML, Vue’s v-html, or any equivalent escape hatch in SolidJS. All rendering uses each framework’s standard template/JSX, which automatically escapes content and prevents XSS attacks.
No eval or dynamic code execution
The library never uses eval(), Function(), or any form of dynamic code execution. All code paths are statically analyzable.
Content Security Policy (CSP) compatible
Wire UI is fully compatible with strict Content Security Policy headers. Since there are no inline styles, inline scripts, or external resources, you can use the strictest CSP without any Wire UI-specific exceptions:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'Data attributes are safe
Wire UI exposes interactive state via data-* attributes (e.g., data-hover, data-state). These are standard HTML attributes — they cannot execute code and are safe by design. Their values are always empty strings or predefined constants ("open", "closed", "checked", etc.), never user input.
Third-Party Dependencies
@wire-ui/react
| Dependency | Type | Purpose |
|---|---|---|
react | peer | React 19+ |
react-dom | peer | React DOM 19+ |
No runtime dependencies — only peer dependencies.
@wire-ui/vue
| Dependency | Type | Purpose |
|---|---|---|
vue | peer | Vue 3.5+ |
No runtime dependencies — only peer dependencies.
@wire-ui/solid
| Dependency | Type | Purpose |
|---|---|---|
solid-js | peer | SolidJS 1.9+ |
No runtime dependencies — only peer dependencies.
@wire-ui/mcp
| Dependency | Type | Purpose |
|---|---|---|
@modelcontextprotocol/sdk | runtime | MCP protocol implementation |
zod | runtime | Input validation for MCP tools |
The MCP server is a development tool and is not included in your production bundle.
Supported Versions
Security fixes are applied to the latest minor version only. We recommend always using the latest version of Wire UI.
| Version | Supported |
|---|---|
| Latest | Yes |
| Older | No |