| Version | Supported | | ------- | ---------------------------------.--- | | >= 3.0 | ✅ (current) | | >= 2.9 | ✅ (until March 2027) | | < 2.9 | ❌ |

Please do not report security vulnerabilities through public GitHub issues.

Try to get in touch with the main maintainer by email at im[at]kdy.ch (PGP) with [SECURITY] prefixed in the subject line.

You should expect a reply within 48 hours. If for some reason it does not happen, please follow up again via email or try to notify me on an another platform that I should have recieved an email from you.

Please prefer to use English and provide as much information as possible, including:

• Version(s) tested
• Full path to the file(s) being the cause of the report
• The tested environnement (i.e. the OS and its version, NodeJS/runtime version)
• Special configuration used, if any
• A proof-of-concept or the code used for exploitation, if possible
• Explanation of the impact and how an attacker can run an exploit

Please note that we do not provide any bug-bounty at the moment.