Future Metalsmith releases will at least support the oldest supported Node LTS versions.
Metalsmith 2.5.x supports NodeJS versions 12 and higher.
Metalsmith 2.4.x supports NodeJS versions 8 and higher.
Metalsmith 2.3.0 and below support NodeJS versions all the way back to 0.12.
The table below documents which versions are eligible to receive security patches.
| Version | Supported |
|---|---|
| 2.5.x | ✅ |
| 2.4.x | ✅ |
| 2.3.x | ❌ |
| < 2.3 | ❌ |
To report a security vulnerability, please create an issue at https://github.com/metalsmith/metalsmith/issues. If the issue is specific to a metalsmith core plugin, please report in the relevant core plugin repository. It is much appreciated that you provide a minimally reproducible test case. If you estimate that full disclosure of the CVE or the minimally reproducible test case will expose critical security risks, please send the details to metalsmith.org@gmail.com.