We release security updates for the following versions:
| Version | Supported |
|---|---|
| 3.x | ✅ Active development |
| 2.8.x | ✅ Supported |
| <2.8 | ❌ Not supported |
Please do not file public issues or discussions if you’ve discovered a potential security vulnerability.
Instead, use GitHub's private security advisory form:
Include the following details (if possible):
- A clear description of the vulnerability
- Steps to reproduce the issue
- Affected versions or commit hashes
- The potential impact (e.g. RCE, XSS, privilege escalation)
- Any suggested remediation (optional)
We typically respond within 72 hours, and address validated issues within 30 days.
You may also contact us privately via email at:
After verification and fix:
- A patch will be released.
- A GitHub Security Advisory will be published.
- A CVE will be requested if the severity justifies it.
- Credit will be given to the reporter (unless anonymity is requested).
We follow responsible disclosure principles and the OpenSSF guidelines.
If you self-host this project:
- Always keep up with releases
- Use automated scanners like
npm audit,trivy, orsnyk - Do not expose admin tools to public networks
- Use HTTPS and strong authentication
- Monitor logs and set up alerts for anomalies