| Version | Supported |
|---|---|
| 0.1.x | Yes |
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in helixir, please report it privately using one of the following methods:
Use GitHub's private vulnerability reporting feature:
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Fill in the details of the vulnerability
This creates a private advisory visible only to maintainers, allowing us to coordinate a fix before public disclosure.
If you prefer email, send details to the maintainer directly. You can find contact information on the npm package page or by opening a blank GitHub issue requesting a security contact (without disclosing the vulnerability details).
Please include as much of the following information as possible:
- Type of vulnerability (e.g., path traversal, command injection, prototype pollution)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag, branch, commit, or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability and how an attacker might exploit it
- Acknowledgment: Within 48 hours of receiving your report
- Status update: Within 7 days with an assessment and expected timeline
- Patch release: As soon as possible, coordinated with you before public disclosure
We follow coordinated disclosure. Once a fix is ready:
- We will notify you before the patch is released
- We will credit you in the release notes (unless you prefer to remain anonymous)
- We will publish a GitHub Security Advisory after the fix is deployed
This security policy applies to the helixir package and its direct dependencies. Vulnerabilities in third-party dependencies should be reported to those projects directly, though we appreciate a heads-up if a dependency vulnerability affects helixir users.