Please report any vulnerabilities in the issues here on github as soon as possible. QFPM only depends on SFDX... and NPM and NODE but otherwise has no production dependancies to reduce possible issues but that doesn't preclude the possibility.