Zillowe FoundationZillowe Documentation
ZDSZoiGuides

Security Advisories

How Zoi handles security vulnerabilities and how to report them.

Zoi includes a decentralized security advisory system designed to keep your systems safe. Vulnerability information is stored directly within the package registries, ensuring that security data is always synchronized with the software definitions.

How it Works

Security advisories are defined in .sec.yaml files co-located with the .pkg.lua files in a registry.

  • Offline Support: Since advisories are part of the registry, they are available even in air-gapped environments after a zoi sync.
  • Proactive Protection: Zoi automatically checks for known vulnerabilities during zoi install and zoi update.
  • Manual Audits: Use the zoi audit command to scan your installed packages.

Auditing Your System

To check all installed packages for known vulnerabilities, run:

zoi audit

If any vulnerable packages are found, Zoi will display a report including the severity, a summary of the issue, and the version that contains a fix.

Advanced Auditing

You can also list all advisories in the database, even for packages you haven't installed:

# List all advisories
zoi audit --all

# List advisories for a specific repository
zoi audit --repo community

Security Warnings During Installation

When you attempt to install or upgrade a package to a version known to be vulnerable, Zoi will pause and display a warning:

SECURITY WARNING

Package nodejs v20.5.0 is known to be vulnerable: [ZSA-2026-0042] Heap buffer overflow in HTTP/2 parser (Severity: CRITICAL)

Fixed in version: 20.11.1

Do you want to continue anyway? [y/N]

You must explicitly confirm with y to proceed with the installation of a vulnerable package.

Reporting a Vulnerability

We encourage researchers and users to report security issues in Zoi packages.

For Official Registry (Zoidberg)

  1. Prepare the Advisory: Create a new .sec.yaml file in the package's directory. Use ZSA-YYYY-TEMP.sec.yaml as a temporary filename.
  2. Submit a Merge Request: Open a Merge Request to the Zoidberg repository on GitLab.
  3. Automated ID Assignment: Upon submission, our CI system will automatically assign a unique Zoi Security Advisory (ZSA) ID and rename your file (e.g. ZSA-2026-D0043.sec.yaml).

Advisory Schema

id: ZSA-2026-D0042
package: nodejs
# Optional: Target a specific sub-package (e.g. docs, devel)
# If omitted, the advisory applies to the base package.
sub_package: devel
summary: "Short description of the issue"
severity: critical # low, medium, high, critical
affected_range: ">=20.0.0, <20.11.1"
fixed_in: "20.11.1"
description: |
  A detailed description of the vulnerability...
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-1234

Severity Levels & ID Format

ZSA IDs follow the format [PREFIX]-YYYY-[SeverityChar][Number]. The severity character is mandatory and indicates the impact:

  • A (Low): Minor issues with low impact (e.g. ZSA-2026-A0042).
  • B (Medium): Moderate impact, often requiring specific configurations to exploit.
  • C (High): Significant impact, potentially leading to data loss or unauthorized access.
  • D (Critical): Severe vulnerabilities, such as remote code execution.

Note: The unique number in the ZSA ID is shared across all severity levels for a given year to prevent collisions.

Zillowe Foundation Logo

Zillowe Foundation

A software organization

2026 © All Rights Reserved.

  • All the content is available under CC BY-SA 4.0, expect where otherwise stated.

Last updated on

Advanced Rollback Guide

Understanding Zoi's transaction system and rollback limitations.

Security Policy Manual

Detailed guide on configuring enterprise-grade security policies in Zoi.

On this page

How it Works
Auditing Your System
Advanced Auditing
Security Warnings During Installation
Reporting a Vulnerability
For Official Registry (Zoidberg)
Advisory Schema
Severity Levels & ID Format