Security updates are applied only to the latest release.
If you have discovered a security vulnerability in this project, please report it privately. Do not disclose it as a public issue. This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
Please disclose it at security advisory.
This project is maintained by a team on a best effort basis. As such, vulnerability reports will be investigated and fixed or disclosed as soon as possible.
If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at [email protected].
If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.