Security updates are provided for the following:
| Version | Supported |
|---|---|
| Latest default branch | Yes |
| Latest tagged release | Yes |
| Older releases | No |
| Forks not maintained by this repository | No |
Only the most recent maintained version receives security updates.
Users are strongly encouraged to stay current.
If you discover a security vulnerability, do NOT open a public issue.
Instead, report it privately to:
Please include:
- A clear description of the vulnerability
- Steps to reproduce
- Affected versions or commit hashes
- Proof-of-concept (if safe to share)
- Potential impact assessment
Reports that lack reproduction detail may delay resolution.
- Reports are reviewed in good faith.
- You will receive acknowledgment when feasible.
- If validated, remediation will be prioritized based on impact.
- Public disclosure should only occur after a fix is available.
No specific response time guarantees are provided.
This policy applies only to:
- Code within this repository
- Official releases produced from this repository
It does not apply to:
- Third-party dependencies (report those upstream)
- Unofficial forks
- Modified builds not produced by this repository
We support responsible disclosure.
We ask that you:
- Allow reasonable time for investigation and patching
- Avoid public disclosure before a fix is released
- Avoid exploiting the vulnerability beyond what is necessary to demonstrate it
We will not pursue action against researchers who act in good faith and follow this policy.
This project prioritizes:
- Stability
- Predictability
- Minimal attack surface
- Transparent fixes
Security patches may be released without prior notice if necessary.
Thank you for helping keep this project secure.