Because this crate is pre-1.0 (see semver), only the
latest 0.x.y release receives security fixes. When 0.(x+1).0 ships, the
previous minor is no longer supported.
| Version | Supported |
|---|---|
Latest 0.5.x |
✅ |
Older 0.5.* |
❌ |
Any 0.4.x or earlier |
❌ |
Please report security issues via GitHub Private Vulnerability Reporting.
Do not file a public issue and do not email directly. Private Vulnerability Reporting keeps the disclosure confidential until a fix is ready and published, and gives us a coordinated disclosure timeline that public issues can't.
When you report, please include:
- A brief description of the issue
- A reproduction (minimal Rust snippet or step list)
- The affected crate name and version
- Whether you believe the issue is exploitable in practice
This project is maintained by a single developer on a best-effort basis. Expect an initial response within 7 days. Fix timing depends on severity and complexity. Hard SLAs are not promised pre-1.0 — if you need a stronger commitment, please say so in the initial Private Vulnerability Report.
This policy covers the following crates published from this repository:
Vulnerabilities in downstream dependencies (gpui, iced, serde, ashpd, etc.) should be reported to those projects directly.
cargo audit runs in CI via
rustsec/audit-check on every
pull request, flagging known advisories against locked dependencies before
they merge.