Last updated: 2026-04-25

Security

Reporting a vulnerability

Open a private security advisory on GitHub:

  1. Go to the repository's Security tab.
  2. Click Report a vulnerability.
  3. Describe the issue, impact, and reproduction steps.

Please don't open a public issue for security problems.

Threat model

The extension is intentionally minimal:

  • MV3 manifest with a single content_scripts.matches entry: https://ui.shadcn.com/create*.
  • No permissions, no host_permissions, no activeTab, no downloads, no storage.
  • File save uses Blob + <a download>; clipboard uses navigator.clipboard.writeText.
  • The only network call is the live theme registry fetch from ui.shadcn.com (CSP-allowed connect-src).
  • Preset decode is pure JavaScript: no eval, no new Function.

Scope

In scope:

  • Extension content script: preset decode, registry fetch, dialog UI, file save, clipboard.
  • Shared formatter (packages/shared/src/formatter.ts).
  • This landing page (apps/web).

Out of scope:

  • ui.shadcn.com itself.
  • Vulnerabilities in third-party dependencies already disclosed upstream (please report those to the upstream project).
  • Issues that require a malicious browser extension already running with broader permissions than this one.

Disclosure timeline

  • Day 0: report received.
  • Within 5 days: acknowledgement and initial assessment.
  • Within 30 days: fix or mitigation plan.
  • Public disclosure: after a fix ships, or 90 days from report (whichever is sooner), unless coordinated otherwise.

Audit

The repository is open source (MIT). Source: github.com/rohitnirban/shadcn-design-md. Production builds are reproducible with pnpm install --frozen-lockfile && pnpm build.

DESIGN.md

© 2026 shadcn DESIGN.md. Open source. MIT.

Download extension