You can find our security.txt here: security.txt
Do not open a public GitHub issue or submit a public pull request describing the vulnerability.
We use several automated mechanisms to help detect and reduce risk:
- GitHub code scanning for static analysis.
- Dependency scanning and alerts for known vulnerabilities.
- Automated dependency updates.
- Renovate is configured to only propose updates for packages that have been published for at least 3 days.
This allows time for the ecosystem to discover and revert problematic releases.
pnpm is configured to ensure no dependency version newer than 24 hours is installed.