We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 5.0.x | ✅ Yes |
| < 5.0 | ❌ No |
Note: This package (v5.0+) is a complete modernization. For older versions (4.x and below), please refer to the original repository.
If you discover a security vulnerability in this package, please help us maintain a safe environment by reporting it responsibly.
- Email: Send details to dev.ahmedmahmoud@gmail.com
- Subject: Use "SECURITY: react-custom-scrollbars vulnerability"
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 24-48 hours
- Initial Assessment: Within 1 week
- Resolution Timeline: Depending on severity
- Critical: Within 7 days
- High: Within 14 days
- Medium: Within 30 days
- Low: Next scheduled release
Security fixes will be:
- Released as patch versions (e.g., 5.0.1)
- Documented in CHANGELOG.md
- Announced in GitHub releases
- Published immediately to npm
- Dependencies: Regular audits with
npm audit - Code Quality: ESLint security rules
- TypeScript: Type safety to prevent runtime errors
- Build Process: Secure build pipeline with GitHub Actions
- Keep Updated: Always use the latest version
- Audit Dependencies: Run
npm auditin your project - Input Sanitization: Sanitize any user content passed to scrollbars
- CSP Headers: Use Content Security Policy in production
- No innerHTML Usage: All DOM manipulation is safe
- No eval() or Function(): No dynamic code execution
- Type Safety: TypeScript prevents many runtime errors
- Minimal Dependencies: Zero runtime dependencies
We follow responsible disclosure practices:
- Critical vulnerabilities are patched before public disclosure
- Security advisories are published on GitHub
- Users are notified through multiple channels
For security-related questions or concerns:
- Email: dev.ahmedmahmoud@gmail.com
- GitHub: @dev-ahmedmahmoud
Thank you for helping keep the community safe! 🛡️