We actively support the following versions of first-di with security updates:

We take the security of first-di seriously. If you discover a security vulnerability, please follow these steps:

1. DO NOT open a public GitHub issue for security vulnerabilities
2. Send a detailed report to the repository maintainer via:
   • GitHub Security Advisory: Report a vulnerability
   • Email: Create an issue in the issue tracker marked as Security (if no sensitive details need to be shared)

Please provide the following information in your report:

• Description: A clear description of the vulnerability
• Impact: What could an attacker accomplish by exploiting this vulnerability
• Reproduction: Step-by-step instructions to reproduce the issue
• Version: The version of first-di affected
• Environment: Relevant environment details (Node.js version, TypeScript version, etc.)
• Suggested Fix (optional): If you have ideas on how to fix the vulnerability

• Initial Response: Within 48 hours of receiving the report
• Status Update: Within 7 days with either a fix timeline or request for more information
• Resolution: Security patches will be released as soon as possible, typically within 14 days for critical issues

1. The vulnerability is confirmed and assessed
2. A fix is developed and tested
3. A security advisory is prepared
4. A new version is released with the fix
5. The security advisory is published with CVE (if applicable)

When using first-di:

• Always use the latest stable version
• Regularly update dependencies using npm update or npm audit fix
• Review the CHANGELOG for security-related updates
• Use npm audit to check for known vulnerabilities in dependencies

• Follow secure coding practices
• Run npm audit before submitting pull requests
• Never commit sensitive information (API keys, passwords, tokens)
• Test changes thoroughly with various configurations

This package has minimal dependencies (only reflect-metadata as peer dependency). We:

• Monitor security advisories for all dependencies
• Update dependencies promptly when security issues are discovered
• Use npm audit in our CI/CD pipeline
• Follow semantic versioning to ensure stable updates

As a dependency injection library, first-di:

• Executes constructor code - ensure dependencies are from trusted sources
• Does not access network resources - all operations are local
• Does not handle sensitive data - it only manages object instantiation
• Runs in all environments - part of your application runtime

However, always ensure you:

• Install packages from official npm registry
• Verify package integrity using npm audit
• Review configuration changes before applying

When a security vulnerability is fixed:

1. We will credit the reporter (unless they wish to remain anonymous)
2. Details will be disclosed after a fix is available
3. We will publish a security advisory on GitHub
4. The vulnerability will be documented in the CHANGELOG

For any security-related questions or concerns, please:

• Open a GitHub Security Advisory
• Create an issue at: https://github.com/LabEG/first-di/issues

Thank you for helping keep first-di and its users safe!