Email kuba.koval@gmail.com with subject prefix [umbel-security].
Please include:
- Affected version(s)
- Steps to reproduce
- Impact assessment (what an attacker could do)
Solo maintenance — best-effort response, no SLA. I'll acknowledge within a reasonable window and patch in a follow-up release.
In scope: anything in this repository (src/, build outputs, CLI behavior).
Out of scope: Claude Code itself (report to Anthropic), MCP servers you configure (report to their authors), generic Node.js / npm ecosystem issues.