Security fixes are provided on a best-effort basis for the latest released version and the current development branch.
| Version | Supported |
|---|---|
| Latest release | Yes |
master |
Yes |
| Older releases | Best effort only |
Please do not report security vulnerabilities in public issues or discussions.
Preferred reporting path:
- use GitHub Private Vulnerability Reporting for this repository if it is enabled
If private vulnerability reporting is not available:
- contact the maintainer through GitHub and clearly mark the report as a security issue
Please include:
- affected version or commit
- impact
- reproduction steps or proof of concept
- any suggested mitigation if you have one
The project will try to:
- acknowledge the report within 7 business days
- investigate and validate the issue
- coordinate a fix and release when the report is confirmed
Response times are best effort and may vary based on report quality, maintainer availability, and severity.
Please give the project a reasonable amount of time to investigate and fix confirmed vulnerabilities before public disclosure.
If a report turns out not to be a security issue, it may be redirected to the normal issue tracker for follow-up.