We often run master on production systems or slightly behind master. Tagged releases of all web components in this repo are published to npm and managed via lerna. If we get a security issue in a specific version, we are going to fix it in a newer release of the web component and you should update to the latest stable at that time.

Security related issues should be filed in our general issue queue https://github.com/haxtheweb/issues/issues and selecting Advisories to draft a new security advisory. These vulnerabilities are taken seriously and private discussions will happen among the core team to identify the validity of the threat as well as issueing solutions and communicating through appropriate government channels.