We only provide security updates for the latest major version of our packages. We recommend using the latest versions.

We update our dependencies on a cool-down, provide immutable releases on GitHub and use trusted publishing for npm to improve supply chain security.

We use CodeQL to discover vulnerabilities as part of our continuous integration process.

You should use the "Report a vulnerability" feature under the "Security" tab of the appropriate repository.

You can expect an acknowledgement of your report within 3–5 business days.

We follow a policy of responsible disclosure. We ask that you give us a reasonable amount of time to remediate the issue before any public information is shared.

We'll only issue security advisories when a non-local actor can exploit a confirmed vulnerability.

Our packages are typically local development dependencies with no security issues linked to regular expression performance or similar that could affect public servers.