If you discover a security vulnerability in @bloomkit/react, please do not open a public GitHub issue.
Instead, report it privately via GitHub Security Advisories.
This gives the maintainer a private channel to discuss the issue, develop a fix, and coordinate disclosure before the details become public.
When filing an advisory, please include:
- A clear description of the vulnerability
- Steps to reproduce
- The version of
@bloomkit/reactaffected - The potential impact (what an attacker could do)
- Any proof-of-concept code, if applicable
- Acknowledgement within a few days
- Initial assessment to confirm the report and scope
- A fix and coordinated disclosure once the issue is understood
- Credit in the release notes, if you want it
Bloomkit is pre-1.0 and only the latest published version is supported. Please update to the latest release before reporting.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
Security issues in bloomkit itself are in scope. Issues in upstream dependencies (React, Radix, Tailwind, etc.) should be reported to their respective maintainers — though we appreciate a heads-up so we can pin or patch if needed.