Only the latest release will receive security updates.

If a vulnerability only occurs in an outdated release, action will not be taken.

Backports will not be officially created or endorsed, as it is always advised to use our latest version.

For any vulnerability, you may use GitHub's private vulnerability reporting found in the security tab of the repository. (if enabled)

However, if this method does not work, you may:

• (If the vulnerability is minor), create a new issue on the repository.
• (If the vulnerability is minor), send a message in the repository's support method.
• Privately message the repository members.
• Email me@encode42.dev.

Please include reproduction steps, relevant configuration files and logs, and system information.

Vulnerability patches will be released as soon as possible, unless the issue is out of our control. If you are running an outdated release, it is advised to update to the latest release.

The release changelogs will clearly mention the patching of a vulnerability, no matter how severe. Exceptions to this stance may be made on a case-by-case basis.