Security fixes are applied to the latest released version of processkit-go. Older versions are not maintained — upgrade to the latest release to receive fixes.
Do not open a public issue for security vulnerabilities.
Report privately through GitHub's private vulnerability reporting (repository Security → Advisories → Report a vulnerability). If that is unavailable, contact the maintainer listed on the ZelAnton profile.
Please include:
- a description of the vulnerability and its impact;
- steps to reproduce (a minimal proof of concept is ideal);
- affected version(s).
You can expect an initial acknowledgement within a few days. Once a fix is
ready, a patched release is published as a new vX.Y.Z tag (which pkg.go.dev and
the module proxy pick up) and the advisory is disclosed.
This project ships three layers of scanning:
- CodeQL (
codeql.yml) runs GitHub's static analysis over the Go code on every push, pull request, and weekly. - govulncheck (a CI job in
ci.yml) checks the dependency tree against the Go vulnerability database, reporting only vulnerabilities reachable from your code. - Dependabot (
dependabot.yml) keeps GitHub Actions and Go module dependencies current.