If you discover a security vulnerability in ShipKit, please do NOT open a public issue.
Instead, report it privately via GitHub's security advisory system:
https://github.com/sagar-grv/shipkit/security/advisories/new
You can also email hello@sagargiri.com. We aim to respond within 48 hours.
- Acknowledgment within 2 business days
- Regular updates on progress
- Coordinated disclosure once fixed
This policy covers the shipkit-pipe npm package, its source code, and the generated CI/CD templates.
Out of scope:
- Projects that use ShipKit-generated templates (report those to the project maintainer)
- Third-party dependencies (report to their respective maintainers)
ShipKit generated pipelines include:
- CodeQL scanning: Automatic security analysis on every PR and push
- Supply chain security:
npm auditruns in CI to catch dependency vulnerabilities - Dependabot: Weekly automated dependency update PRs
- Health monitoring: Periodic uptime checks with automatic issue creation
| Version | Supported |
|---|---|
| 3.x | ✅ |
| < 3.0 | ❌ |