We actively support and provide security updates for the following versions of RepoSmith:
| Version | Supported |
|---|---|
| Latest (main) | โ Full support |
| Older |
If you discover a security vulnerability in RepoSmith, please do not open a public issue.
Instead, report it through one of the following channels:
- ๐ง Email: info@tameronline.com
- ๐ Private GitHub advisory: Report via GitHub
When reporting, please include:
- A clear description of the vulnerability.
- Steps to reproduce the issue.
- The potential impact (e.g., data leak, privilege escalation).
- Any suggested fix or mitigation (if available).
- We will acknowledge your report within 48 hours.
- A maintainer will investigate and confirm the issue.
- If confirmed, we will work on a fix and prepare a security release.
- You will be notified once the fix is published.
To keep RepoSmith secure, we rely on GitHubโs built-in security tooling:
- ๐ Dependabot Alerts โ Automatically notifies us about vulnerable dependencies.
- ๐ Code Scanning (CodeQL) โ Detects potential vulnerabilities and coding errors.
- ๐ต๏ธ Secret Scanning โ Prevents accidental leaks of tokens, keys, or credentials.
We review alerts regularly and patch vulnerabilities as soon as possible.
We kindly ask you to follow responsible disclosure practices:
- Do not publicly share details of the vulnerability until a fix has been released.
- Avoid exploiting the vulnerability beyond what is necessary for proof of concept.
Thank you for helping us keep RepoSmith and its community safe! ๐