Until v1.0.0 is released, security fixes are applied to the latest npm release
on npm's latest dist-tag and the default branch.
After the v1.0.0 release, the supported line is the latest supported 1.x npm
release on npm's latest dist-tag and the default branch. Older pre-1.0
releases are not backported unless a maintainer announces a specific exception
in the release notes.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, use GitHub's private reporting flow:
When possible, include:
- a description of the issue
- affected file paths or commands
- steps to reproduce
- expected and actual behavior
- proof of concept or sample project
- impact assessment
We will review reports as quickly as possible and coordinate a fix before public disclosure when appropriate.