We release patches for security vulnerabilities in the following versions:

If you discover a security vulnerability within this project, please report it responsibly.

Please do NOT create public GitHub issues for security vulnerabilities.

1. GitHub Security Advisories (Preferred): Use GitHub's private vulnerability reporting to report the issue confidentially.

2. Email: If you prefer email, contact the maintainers directly through their GitHub profiles.

When reporting a vulnerability, please include:

• A description of the vulnerability
• Steps to reproduce the issue
• Affected versions
• Any potential mitigations you've identified
• Your assessment of the severity (Critical/High/Medium/Low)

• Initial Response: Within 48 hours of report submission
• Status Update: Within 7 days with an assessment
• Resolution Target: Within 90 days for most vulnerabilities

• We follow coordinated vulnerability disclosure
• We will acknowledge your contribution in the security advisory (unless you prefer to remain anonymous)
• We request that you do not publicly disclose the vulnerability until we have had a chance to address it

This project implements several security measures:

• Dependency Updates: Automated dependency updates via Dependabot and Renovate
• Static Analysis: CodeQL security scanning on all PRs and commits
• Vulnerability Scanning: Regular pnpm audit checks in CI
• Pinned Dependencies: GitHub Actions are pinned to commit SHAs
• Least Privilege: Workflow tokens use minimal required permissions
• OpenSSF Scorecard: Regular security posture assessment

When contributing to this project:

1. Never commit secrets, API keys, or credentials
2. Keep dependencies up to date
3. Follow secure coding practices
4. Report any security concerns promptly