Do not open a public issue for security vulnerabilities.
If you discover a security vulnerability in PackRegistry, please report it through GitHub's private security advisory:
- A description of the vulnerability
- Steps to reproduce or a proof of concept
- The potential impact
- Your PackRegistry subdomain (if applicable)
- We will acknowledge your report within 48 hours
- We will provide an initial assessment and expected timeline for a fix
- We will notify you when the vulnerability has been resolved
This policy covers the PackRegistry platform and all supported ecosystems (Composer, npm, Yarn, pnpm, Bun, Pip, uv, Gem, Helm, Maven, NuGet, and Cargo).
Thank you for helping keep PackRegistry and its users safe.