By default, only the latest version of the library is supported. Security patches may be backported to older versions, but only in exceptional circumstances.
- Suspected security vulnerabilities should not be discussed publicly. Do not open an issue using the normal issue tracker.
- Create your own fork of this project
- Create a Security Advisory in your fork. Do not worry about getting all the settings correct initially.
- Grant access to my username (pjfanning) so that I can see the description of the issue and comment.
- If I accept that there is a vulnerability, I move the Security Advisory to this project and add all the parties from the fork advisory as collaborators.
- I will try to get a fix, a release and CVE assignment done as quickly as I can.