We take security seriously and will provide security updates for the following versions:
| Version | Supported |
|---|---|
| Latest major version | ✅ |
| Older major versions | ❌ |
Note: Only the latest major version (e.g., v2.x) as published on the official release channel (e.g., npm, GitHub Releases) is supported with security updates. Users are encouraged to upgrade to the latest major version to receive security fixes.
We appreciate your efforts to responsibly disclose security vulnerabilities. To report a security issue:
- DO NOT open a public GitHub issue for security vulnerabilities
- Send an email to the maintainers with details about the vulnerability
- Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Investigation: We will investigate and validate the reported vulnerability
- Timeline: We aim to provide an initial response within 5 business days
- Resolution: Critical vulnerabilities will be addressed as soon as possible
We ask that you:
- Give us reasonable time to investigate and fix the issue before public disclosure
- Avoid accessing or modifying user data without permission
- Do not perform actions that could negatively impact our users or services
When contributing to this project:
- Keep dependencies up to date
- Follow secure coding practices
- Never commit secrets, API keys, or credentials
- Use parameterized queries to prevent SQL injection
- Validate and sanitize all user inputs
- Implement proper authentication and authorization
- Use HTTPS for all communications
We currently do not have a formal bug bounty program, but we appreciate and acknowledge security researchers who help improve our security posture.
Thank you for helping keep our project and users safe!