We provide security updates for the following versions of fontconfig-py:
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Security fixes are only planned for version 1.0 and later. Earlier versions (0.x releases) will not receive security updates. We strongly recommend upgrading to version 1.x to receive security patches and benefit from the Stable ABI support.
We take security vulnerabilities seriously. If you discover a security issue in fontconfig-py, please report it responsibly.
Please use GitHub Security Advisories for private vulnerability reporting:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Provide detailed information about the vulnerability
When reporting a security vulnerability, please include:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Affected versions of fontconfig-py
- Potential impact and severity assessment
- Any suggested fixes or mitigations (if available)
- Your contact information for follow-up questions
- Initial Response: We aim to acknowledge your report within 48 hours
- Status Updates: We will keep you informed about our progress in addressing the issue
- Fix Timeline: We will work to release a security patch as quickly as possible, depending on the complexity and severity of the issue
- Credit: With your permission, we will acknowledge your contribution in the security advisory and CHANGELOG
- Please do not publicly disclose the vulnerability until we have had a chance to address it
- We will coordinate the disclosure timeline with you
- Once a fix is released, we will publish a security advisory on GitHub
- The vulnerability details will be included in the project's CHANGELOG
When a security vulnerability is confirmed:
- We will develop and test a fix
- A new version will be released with the security patch
- A GitHub Security Advisory will be published
- The fix will be documented in the CHANGELOG
- Users will be notified through:
- GitHub Security Advisories (if they have notifications enabled)
- Release notes on the GitHub repository
- PyPI release announcement
fontconfig-py statically links the following third-party libraries:
- fontconfig: Font configuration and matching library
- freetype: Font rendering engine
We monitor security advisories for these dependencies and update them in our releases when security issues are identified.
If you discover a security vulnerability in our bundled dependencies (fontconfig or freetype):
- Report it through GitHub Security Advisories (as described above)
- We will update the affected library and release a new version
- The update will be documented in the CHANGELOG
We use Dependabot to monitor and update dependencies automatically. Security updates for GitHub Actions and Python dependencies are prioritized and reviewed promptly.
When using fontconfig-py:
- Always use the latest version to benefit from security updates
- Be cautious when processing untrusted font files
- Follow the principle of least privilege when running applications that use fontconfig-py
- Keep your Python environment and system libraries up to date
If you have questions about this security policy or general security concerns (not specific vulnerabilities), please open an issue on the GitHub repository.
For private security-related communications, please use GitHub Security Advisories rather than email to ensure proper tracking and coordination.