This is a single-maintainer pre-1.0 FOSS package. Security fixes land on the latest tagged release, best-effort. Older tags are not backported. If you need stronger guarantees than that, please vendor the code or sponsor the project.

Please do not open a public GitHub issue or pull request for suspected vulnerabilities.

Use GitHub's private vulnerability reporting:

https://github.com/Vusys/laravel-nestedset/security/advisories/new

That route notifies the maintainer privately, opens an embargoed advisory, and gives us a place to coordinate the fix and CVE if needed.

If you cannot use GitHub Security Advisories, email bryan@vuii.co.uk.

• Affected version(s) / git SHA.
• A minimal reproduction (Laravel + DB backend + nested-set fixture where possible).
• Expected vs. actual behaviour, and the security impact you observed (data exposure, integrity loss, etc.).

Best-effort response and triage. No SLA, no bug bounty — this is unfunded hobby work. If a report is confirmed, the fix will ship in the next tagged release and we'll publish an advisory crediting the reporter (unless they prefer to remain anonymous).

In-scope:

• Anything in src/ — the runtime library code.
• SQL generated by the query builders.
• Anything in .github/ that could leak secrets or grant unintended write access.

Out-of-scope:

• Dependencies (illuminate/*, etc.) — please report those upstream.
• Issues that require a malicious database user with SUPER / pg_write_server_files privileges; if an attacker already has DB admin, the tree library isn't your last line of defence.