The repository is under active development and security fixes are applied to main.
Do not open public issues for vulnerabilities.
Preferred process:
- Open a private report via GitHub Security Advisories.
- If advisories are unavailable, open a minimal issue requesting a private channel without exploit details.
- Affected area (route, component, script, dependency)
- Reproduction steps
- Impact assessment
- Suggested mitigation (if known)
- Initial triage: within 7 calendar days
- Confirmed issue and mitigation plan: as soon as practical based on severity
- Public disclosure: after fix availability and coordinated disclosure window
Security reports can include:
- authentication/authorization bypass
- data exposure or privilege escalation
- injection or remote code execution vectors
- secrets handling and key management issues
- dependency supply-chain vulnerabilities