Dependency Risk Radar is security tooling and should be conservative by default.

The current development line targets v1.0. Security fixes should be applied to the latest maintained release branch once release branches exist.

Please report vulnerabilities privately through the repository security advisory flow when available. If that is unavailable, contact the maintainers through the project's published security contact.

Do not include private tokens, proprietary lockfiles, or credentials in public issues.

• The scanner does not execute package code.
• The scanner does not run install scripts.
• The scanner does not read .env files or credentials.
• Live network calls are documented and can be disabled with --offline.
• Reports mask credentials in registry-style URLs.