Please report security issues privately to security@pametan.co rather than opening a public issue. We aim to acknowledge reports within 2 business days.

Treat the following with the same priority as a security report:

• Sandbox escape — any input to the expression evaluator that executes code, accesses globals, or does anything beyond field reads, comparisons and boolean logic. The evaluator must never reach eval, Function, or property/method calls.
• A correctness bug that produces the wrong outcome or an inaccurate trace.
• A regex (in a matches condition) that can be made to catastrophically backtrack on attacker-controlled input (ReDoS).

Use synthetic/example data in any report.

The latest published minor version receives fixes. Until a 1.0 release, the API is stable but not yet frozen.