Security fixes are provided for the latest stable major release of each repository. Repositories marked foundation, pre-1.0.0, archived, or explicitly unsupported do not carry a production-support commitment.
Do not open a public issue. Use Report a vulnerability in the repository's Security tab. If private vulnerability reporting is unavailable, contact the maintainers privately through the Easy Starter organization profile.
Include:
- Affected repository and version or commit
- Impact and realistic attack scenario
- Reproduction steps or a minimal proof of concept
- Known mitigations or workarounds
- Whether the issue has been disclosed elsewhere
Please allow maintainers time to investigate before public disclosure. Never include real credentials, customer data, or destructive payloads in a report.