The project currently maintains the following versions:

• The main branch (main)
• Latest stable release (if available)

Only these versions receive security updates and patches.

If you discover a security issue, please follow responsible disclosure guidelines:

Instead:

Contact the repository owner privately through the email listed on the GitHub profile.

If you prefer to open an issue:

• Do not include sensitive or detailed exploit information.
• Provide only a high‑level description.
• Add the label security.

To help us investigate, please include (when possible):

• Clear description of the vulnerability
• Steps to reproduce the issue
• Expected vs. actual behavior
• Impact assessment (what could go wrong)
• Node.js version
• Operating system / environment
• Any logs or proof-of-concept (sent privately)

1. We will confirm receipt of your report within 48 hours.
2. Investigation and validation typically occur within 5–10 days.
3. You will be kept informed throughout the process.
4. A fix will be developed and released as soon as possible.
5. Credit will be given in release notes (unless you'd prefer to remain anonymous).

We ask researchers and contributors to:

• Avoid public disclosure until a fix is released.
• Avoid performing destructive testing on production deployments.
• Follow ethical research principles.

Thank you for helping keep the project secure!