angular-switcher is pre-1.0. Only the latest minor version receives security fixes.

Please do not file a public issue.

Use GitHub's private vulnerability reporting at https://github.com/danieljancar/angular-switcher/security/advisories/new.

I aim to acknowledge reports within 72 hours and ship a patch within 14 days for confirmed issues. If the issue qualifies for a CVE, I will request one and credit the reporter unless they prefer to remain anonymous.

In scope:

• The angular-switcher binary and library code in this repository.
• Build and release pipelines under .github/workflows/.
• Documented config and template formats.

Out of scope:

• Vulnerabilities in upstream dependencies — please report those upstream. This project will update affected pinned versions promptly once a fix is available.
• Misconfiguration of a downstream user's tasks.json or keymap.json.

The codebase observes the following invariants and any deviation is in scope:

• #![forbid(unsafe_code)] at every crate root.
• No shell invocation; subprocess paths are passed to Command::new as OsStr arguments.
• TOML config uses deny_unknown_fields — typos error out rather than being silently accepted.
• No network I/O, no telemetry.