The latest major version of the project is supported with security updates. Previous major1 versions will also receive security updates for 12 months after the release of their respective next major versions.
To report a vulnerability, please open a private vulnerability report at the respective repository's security page, e.g. https://github.com/changesets/changesets/security. Please do not report upstream vulnerabilities unless the code is bundled in the package.
A maintainer will respond to your report as soon as possible. Please do not open a public issue for security vulnerabilities.
Thanks for helping us keep our project secure!
Footnotes
-
This applies to the primary project(s) contained in the repository and doesn't apply to all sub-packages that exist for organizational purposes. Those sub-packages shall receive security updates only in the major versions used by the supported primary project(s). ↩