Only the latest published version of Stratal receives security updates. The project is pre-1.0 and does not maintain long-term support branches.
| Version | Supported |
|---|---|
| Latest | Yes |
| < Latest | No |
Do not open a public issue for security vulnerabilities.
Please report vulnerabilities through GitHub Private Vulnerability Reporting. This keeps the report confidential until a fix is available.
To file a report:
- Go to the Security tab of the repository
- Click Report a vulnerability
- Provide a description of the vulnerability, steps to reproduce, and any relevant context
In scope:
- Vulnerabilities in the Stratal framework code
- Security issues in direct dependencies used by Stratal
- Authentication, authorization, or injection flaws in framework-provided utilities
Out of scope:
- Application-level misconfigurations by end users
- Vulnerabilities in optional peer dependencies not bundled by Stratal
- Issues that require physical access or social engineering
- Acknowledgement — We will acknowledge receipt of your report within 48 hours
- Assessment — We will evaluate the report and determine severity
- Fix — We target a fix within 90 days of acknowledgement, depending on complexity
- Release — A patched version will be published via npm with an accompanying changelog entry
- Disclosure — We follow coordinated disclosure; the vulnerability details will be made public after the fix is released
Reporters will be credited in the release notes for the patched version unless they request otherwise.