Lingua
Download

Legal

Security

Last updated 2026-05-04

Lingua runs untrusted code on your machine. We take that seriously. Here is what the release pipeline does to make sure the binary you install is what we built, and what the runtime does to keep your snippets contained.

Signed and notarized binaries

  • macOS — signed with our Apple Developer ID certificate and notarized through Apple's notarization service. Gatekeeper will not warn you.
  • Windows — signed with an Authenticode certificate. SmartScreen reputation grows with each release.
  • Linux.deb and .rpm packages with a maintainer signature.

SHA256 checksums

Every release ships a SHA256SUMS.txt file alongside the binaries. Verify before you install: 

shasum -a 256 -c SHA256SUMS.txt

The checksum file is generated by the release workflow after every binary is built. The workflow itself runs in a public CI environment with audited steps.

Release-blocking dependency audit

Every release pipeline run executes npm audit --omit=dev --audit-level=high as a blocking gate. A high or critical vulnerability in a runtime dependency stops the release train.

Vendored Python runtime

Pyodide v0.26.4 is bundled inside the desktop binary with integrity hashes pinned in runtime-assets.lock.json. The desktop app does not load Python from a CDN. The web build at app.linguacode.dev caches Pyodide via a Service Worker on first load and serves it locally afterward.

Sandboxed execution

  • JavaScript and TypeScript run inside a Web Worker with parent-owned timeouts and capped output buffers — a runaway loop cannot lock the renderer.
  • Python runs in a dedicated Pyodide worker with the same timeout and output limits.
  • Go and Rust subprocesses inherit a minimal environment (PATH, HOME, LANG, TMPDIR) — the host environment is not exposed wholesale to your snippet.
  • Filesystem IPC uses a capability-based registry: the renderer can only operate on paths under a project root the main process has explicitly approved.

Strict Content Security Policy

The desktop renderer ships with a CSP that blocks unapproved remote script and module imports. Anything Lingua needs at runtime is bundled.

Reporting a vulnerability

Email [email protected] with details. We aim to acknowledge within 72 hours. Please give us 90 days before public disclosure.