| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do NOT open public issues for security vulnerabilities.
Instead, report vulnerabilities through one of these channels:
-
GitHub Security Advisories (preferred): Create a security advisory
-
Direct contact: Open a private vulnerability report via GitHub's security tab.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Input validation bypasses
- Prototype pollution vulnerabilities
- Server-side injection risks
- Authentication/authorization bypasses in middleware
- Information disclosure through error messages
- Denial of service vectors
- Acknowledgment: Within 48 hours
- Assessment: Within 5 business days
- Fix for critical issues: Within 7 days
- Fix for non-critical issues: Next patch release
We follow coordinated disclosure. We will work with you to understand and address the issue before any public disclosure.