Thank you for reaching out regarding the security of the ShellJS module! Please note that this project is maintained on a best-effort basis, however I still intend to prioritize reviewing and addressing security issues.

I generally only support the latest ShellJS release (see https://www.npmjs.com/package/shelljs). My goal is to release security fixes as patch releases on top of whatever was most recently shipped.

If breaking changes have already landed on the main development branch, I may apply the patch on the relevant release branch (ex. 0.8-release) and create a new release from there.

Please report security vulnerabilities to ntfschr@gmail.com. I should respond within a few days. Although it's not strictly required, it helps me out if you can include any proof of concept exploit code, suggested fix, etc.

Please do not publicly disclose the suspected vulnerability until I have a chance to review your report. I'd like a chance to patch the code before the issue is known to the public.

Please only use this email for security issues. It's also OK to use the email if you're legitimately unsure if this is a security issue (better safe than sorry). But for all other non-security issues, please use the GitHub issue tracker.