Please do not open a public issue for security vulnerabilities. Instead, use GitHub's private vulnerability reporting or contact the maintainer directly. You will receive a response as soon as possible.
- Always set the
host-key-fingerprintinput so the server's identity is verified - Store all credentials (
password,private-key,passphrase) as encrypted GitHub Actions secrets - Prefer key-based authentication over passwords
- Release refs download only this repository's platform binary and verify it against the release's
checksums.txt - Prebuilt mode accepts a commit SHA only if it matches the exact release tag in
.easysftp-version; usebuild-mode: sourcefor all other SHAs