Absolutely no security reports will be accepted that have been generated by LLM agents.
Security reports are accepted for the most recent major release, with a limited window of support after the initial major release.
- Bug reports will be accepted up to three months after release.
- Security reports will be accepted up to six months after release.
All issues raised must be demonstrated on the minimum supported Ruby version.
Important
Because diff-lcs 1 has been the only version for over twenty years, security reports will be accepted for one year after the release of diff-lcs 2.
| Version | Release Date | Support Ends | Security Support Ends |
|---|---|---|---|
| 1.x | 2010 | 2026-04-30 | 2027-01-31 |
| 2.x | 2026-01-31 | - | - |
Report vulnerabilities via the Tidelift security contact. Tidelift will coordinate the fix and disclosure.
Alternatively, create a private vulnerability report with GitHub or
send an email to [email protected] with the text diff-lcs
in the subject. Emails sent to this address should be encrypted using age
with the following public key:
age1fc6ngxmn02m62fej5cl30lrvwmxn4k3q2atqu53aatekmnqfwumqj4g93w