|
| 1 | +# ShellJS Security Policy |
| 2 | + |
| 3 | +Thank you for reaching out regarding the security of the ShellJS module! Please |
| 4 | +note that this project is maintained on a best-effort basis, however I still |
| 5 | +intend to prioritize reviewing and addressing security issues. |
| 6 | + |
| 7 | +## Supported Versions |
| 8 | + |
| 9 | +I generally only support the latest ShellJS release (see |
| 10 | +https://www.npmjs.com/package/shelljs). My goal is to release security fixes as |
| 11 | +patch releases on top of whatever was most recently shipped. |
| 12 | + |
| 13 | +If breaking changes have already landed on the main development branch, I may |
| 14 | +apply the patch on the relevant release branch (ex. |
| 15 | +[`0.8-release`](https://github.com/shelljs/shelljs/commits/0.8-release) and |
| 16 | +create a new release from there. |
| 17 | + |
| 18 | +## Reporting a Vulnerability |
| 19 | + |
| 20 | +Please report security vulnerabilities to [email protected]. I should respond |
| 21 | +within a few days. Although it's not strictly required, it helps me out if you |
| 22 | +can include any proof of concept exploit code, suggested fix, etc. |
| 23 | + |
| 24 | +**Please do not publicly disclose the suspected vulnerability** until I have a |
| 25 | +chance to review your report. I'd like a chance to patch the code before the |
| 26 | +issue is known to the public. |
| 27 | + |
| 28 | +Please **only** use this email for security issues. It's also OK to use the |
| 29 | +email if you're legitimately unsure if this is a security issue (better safe |
| 30 | +than sorry). But for all other non-security issues, please use the GitHub issue |
| 31 | +tracker. |
0 commit comments