http4k is released on a regular basis, generally as soon as fixes are available. We recommend keeping http4k up-to-date in order that any changes to APIs will not need to be mixed in with security patches.

Please reach out to: security@http4k.org if you find a vulnerability with http4k code. Typically you can expect a response the same working day.

For vulnerabilities in third party dependencies, we monitor these separately and update as soon as a fix is released by the maintainers. Our normal policy is to fix-forward.