If you believe you found a security vulnerability in DepGraph itself, do not open a public GitHub issue.
Report it by email to:
sara@synthesissoftworks.com
Please include:
- a clear description of the issue
- reproduction steps or a proof of concept
- impact and affected versions, if known
We will acknowledge the report, review it, and work on a fix as appropriate.
This policy applies to vulnerabilities in DepGraph.
It does not apply to suspicious or malicious third-party npm packages detected by DepGraph during scans. Those should be reported to the relevant registry, maintainer, or security contact for the affected package or ecosystem.
Security fixes are expected to land in the latest published release and on main.