If you discover a security vulnerability in any OpenMerch SDK package, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email security@openmerch.dev with:
- A description of the vulnerability
- Steps to reproduce
- Affected package(s) and version(s)
- Any potential impact you've identified
We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
Security updates are applied to the latest minor release of each package.
This policy covers the packages published from this repository under the @openmerch npm scope.