Security fixes are normally provided for currently supported release lines.
Support windows may vary by repository. When a repository has its own release policy or support matrix, that repo-local policy takes precedence.
Please do not open a public issue for a suspected vulnerability.
Instead:
- Use GitHub private vulnerability reporting for the repository if it is available.
- If private reporting is not available, contact the maintainers privately through GitHub before sharing details in public.
When reporting, include:
- affected version or commit
- impact you observed
- reproduction steps or a minimal proof of concept
- any workaround you already found
The goal is to acknowledge good-faith reports within 5 business days.
After a report is confirmed, the goal is to coordinate a fix and a release before public disclosure when that is practical.