We are currently providing security updates to the following http4s core versions:
| Version | Supported |
|---|---|
| 0.21.x | ✅ |
| 0.20.x | ✅ |
| 0.19.x | ❌ |
| 0.18.x | ❌ |
| < 0.18 | ❌ |
For other repos in the http4s org on different release cycles, see their documentation.
We will use keybase as the vehicle for reporting security issues as that gives us a forum to discuss, analyze, and remediate the threat before an exploit is published. Responsible disclosure enhances security for the entire community.
If the issue is deemed a vulnerability, we will release a patch version of our software and make sure that finds it way to Maven Central before we push the patch to github. After the patch is available on Maven Central, we will also provide a security advisory through github. As with every release, the source jars are published to maven central at the same time as the binaries.
We strongly recommend users of our libraries to use Scala Steward or something similar to automatically receive updates.
| name | github | keybase |
|---|---|---|
| Ross A. Baker | @rossabaker | @rossabaker |
| Christopher Davenport | @christopherdavenport | @davenpcm |
| Erlend Hamnaberg | @hamnis | @hamnis |