We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.7.x | ✅ |
| 1.6.x | ❌ |
| 1.5.x | ❌ |
| 1.2.x | ❌ |
| 1.1.x | ❌ |
| 1.0.x | ❌ |
Older versions are no longer supported and will not receive security updates.
To report a security vulnerability, please use the GitHub Security Advisory by clicking the "Report a Vulnerability" button in the Security tab of this repository.
Do not open a public issue to report vulnerabilities, as this may expose sensitive information.
When submitting a vulnerability report through the GitHub Security Advisory, please include the following information:
-
Vulnerability Description:
A clear and concise explanation of the vulnerability, including the potential impact (e.g., data leakage, unauthorized access, etc.). -
Steps to Reproduce:
Detailed, step-by-step instructions to reproduce the issue. Include code snippets, configurations, or any prerequisites required. -
Affected Versions:
Specify the version(s) of the package where the issue occurs. If possible, confirm whether the issue exists in the latest release. -
Environment Details:
Information about your environment, such as:- Operating System (e.g., Windows 10, macOS Monterey)
- Node.js version
- Package version
-
Proof of Concept (PoC):
A minimal, working example that demonstrates the vulnerability (if possible). -
Suggested Fix (Optional):
If you have ideas or suggestions for resolving the issue, please include them. -
Additional Context (Optional):
Any other relevant information that may help us understand the issue better (e.g., logs, related issues, references).
We will review your report promptly and coordinate with you to address the issue.
- We will acknowledge receipt of your report within 72 hours.
- We will investigate, confirm, and develop a fix.
- A patch will be released, and the version will be updated accordingly.
- Credit will be given to the reporter unless anonymity is requested.
- We follow a responsible disclosure policy: vulnerabilities will be disclosed publicly after a fix has been released.
- Users will be notified of critical issues via release notes.