Nx/Nrwl takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations.

If you believe you have found a security vulnerability in any Nx-owned repository that meets Nx's definition of a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them to the Security Team at [email protected].

You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Nx follows the principle of Coordinated Vulnerability Disclosure.

The security email is for demonstrable, verified vulnerabilities within the Nx codebase itself.

Please do not use the security email for:

• Reports about outdated dependencies (e.g., "package X has a newer version available")
• Reports about dependencies with known CVEs that do not directly affect Nx functionality
• General vulnerability scanner output

If you have a concern about an outdated dependency that you believe impacts Nx users, please open a GitHub issue instead.