Showing with 73 additions and 7 deletions.

+7 −3 .github/issue_template.md

+4 −0 .github/pull_request_template.md

+10 −1 CHANGELOG.md

+4 −0 README.md

+45 −0 SECURITY.md

+1 −1 package-lock.json

+1 −1 package.json

+1 −1 package.json5
diff --git a/.github/issue_template.md b/.github/issue_template.md
@@ -1,6 +1,10 @@
-If you are submitting a bug because you are receiving an error or because this
-project is incompatible with the [official JSON5
-specification][spec], please continue.
+If you are reporting a security vulnerability, please do not submit an issue.
+Instead, follow the guidelines described in our
+[security policy](../blob/main/SECURITY.md).
+
+If you are submitting a bug report because you are receiving an error or because
+this project is incompatible with the [official JSON5 specification][spec],
+please continue.
 
 If you are submitting a feature request or code improvement that is compatible
 with the [official JSON5 specification][spec], please continue.

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,3 +1,7 @@
+If you are patching a security vulnerability, please do not submit a pull
+request. Instead, follow the guidelines described in our
+[security policy](../blob/main/SECURITY.md).
+
 If you are submitting a bug fix for an an error or fixing an incompatibility
 with the [official JSON5 specification][spec], please continue.
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,7 +1,15 @@
 ### Unreleased [[code][c-unreleased], [diff][d-unreleased]]
 
 [c-unreleased]: https://github.com/json5/json5/tree/main
-[d-unreleased]: https://github.com/json5/json5/compare/v2.2.2...HEAD
+[d-unreleased]: https://github.com/json5/json5/compare/v2.2.3...HEAD
+
+### v2.2.3 [[code][c2.2.3], [diff][d2.2.3]]
+
+[c2.2.3]: https://github.com/json5/json5/tree/v2.2.3
+[d2.2.3]: https://github.com/json5/json5/compare/v2.2.2...v2.2.3
+
+- Fix: json5@2.2.3 is now the 'latest' release according to npm instead of
+  v1.0.2. ([#299])
 
 ### v2.2.2 [[code][c2.2.2], [diff][d2.2.2]]
 
@@ -379,3 +387,4 @@ parser for the regular JSON format.
 [#244]: https://github.com/json5/json5/issues/244
 [#266]: https://github.com/json5/json5/issues/266
 [#295]: https://github.com/json5/json5/issues/295
+[#299]: https://github.com/json5/json5/issues/299
diff --git a/README.md b/README.md
@@ -244,6 +244,10 @@ that compatibility is a fundamental premise of JSON5.
 To report bugs or request features regarding this **JavaScript implementation**
 of JSON5, please submit an issue to **_this_ repository**.
 
+### Security Vulnerabilities and Disclosures
+To report a security vulnerability, please follow the follow the guidelines
+described in our [security policy](./SECURITY.md).
+
 ## License
 MIT. See [LICENSE.md](./LICENSE.md) for details.
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,45 @@
+# JSON5 Security Policy
+
+We take security seriously. Responsible reporting and disclosure of security
+vulnerabilities is important for the protection and privacy of our users. If you
+discover any security vulnerabilities, please follow these guidelines.
+
+Published security advisories are available on our [GitHub Security Advisories]
+page.
+
+To report a vulnerability, please draft a [new security advisory on GitHub]. Any
+fields that you are unsure of or don't understand can be left at their default
+values. The important part is that the vulnerability is reported. Once the
+security advisory draft has been created, we will validate the vulnerability and
+coordinate with you to fix it, release a patch, and responsibly disclose the
+vulnerability to the public. Read GitHub's documentation on [privately reporting
+a security vulnerability] for details.
+
+If you are unable to draft a security advisory, or if you need help or have
+security related questions, please send an email to [security@json5.org].
+
+Please do not report undisclosed vulnerabilities on public sites or forums,
+including GitHub issues and pull requests. Reporting vulnerabilities to the
+public could allow attackers to exploit vulnerable applications before we have
+been able to release a patch and before applications have had time to install
+the patch. Once we have released a patch and sufficient time has passed for
+applications to install the patch, we will disclose the vulnerability to the
+public, at which time you will be free to publish details of the vulnerability
+on public sites and forums.
+
+If you have a fix for a security vulnerability, please do not submit a GitHub
+pull request. Instead, report the vulnerability as described in this policy.
+Once we have verified the vulnerability, we can create a [temporary private
+fork] to collaborate on a patch.
+
+We appreciate your cooperation in helping keep our users safe by following this
+policy.
+
+[github security advisories]: https://github.com/json5/json5/security/advisories
+[new security advisory on github]:
+  https://github.com/json5/json5/security/advisories/new
+[privately reporting a security vulnerability]:
+  https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
+[security@json5.org]: mailto:security@json5.org
+[temporary private fork]:
+  https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "json5",
-  "version": "2.2.2",
+  "version": "2.2.3",
   "description": "JSON for Humans",
   "main": "lib/index.js",
   "module": "dist/index.mjs",

diff --git a/package.json5 b/package.json5
@@ -1,7 +1,7 @@
 // This is a generated file. Do not edit.
 {
   name: 'json5',
-  version: '2.2.2',
+  version: '2.2.3',
   description: 'JSON for Humans',
   main: 'lib/index.js',
   module: 'dist/index.mjs',