As an Enterprise tool, security is taken seriously by the SASjs team. In general we look to minimise third party dependencies, and we distinguish between production dependencies and development dependencies whenever possible.

In addition we take the following steps:

• Use of Dependabot for automated reporting of security issues
• Locking versions to prevent upgrades unless explicitly applied
• We run npm audit as part of the CI build to ensure the dependency tree is clear from warnings

We support only the latest version with security updates. If you would like an earlier version supported, then do get in touch.

We welcome reponsible disclosures and will act immediately. Please report here with full details of the vulnerability.