Please do not open a public issue for security vulnerabilities.
Instead, report them privately via GitHub Security Advisories, or email the maintainer. We will acknowledge receipt within a few days and keep you updated on the fix.
@vosjs/core compiles untrusted config (including function strings) into executable template code. If you find a way for compiled output to escape its intended sandbox, leak host data, or execute code outside the render iframe, that is in scope.
As a pre-1.0 project, only the latest published version receives security fixes.