If you discover a security vulnerability in any @paretools package, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please email: hello@os4us.org
Include:
- Which package is affected (
@paretools/git,@paretools/test, etc.) - A description of the vulnerability
- Steps to reproduce (if applicable)
- Acknowledgement: Within 48 hours
- Assessment: Within 1 week
- Fix: Depends on severity, but we aim for patches within 2 weeks for critical issues
This policy covers all packages published under the @paretools npm scope.
- February 2026 Audit — 18 findings, 14 remediated, 4 accepted risk
| Package | Supported |
|---|---|
@paretools/* >= 0.2.0 |
Yes |