To report a vulnerability, please privately report it via the Security tab on the correct GitHub repository (see documentation. Do not open a public issue. Provide:
- A clear description of the issue
- Steps to reproduce
- Expected vs actual behavior
- Potential impact
- A proof of concept if possible
- Affected commit / version (if known)
We aim to acknowledge receipt of a valid report within 1 week.
We aim to provide a remediation plan or decision within 4 weeks. Actual fix time may be shorter or longer depending on severity, complexity, and scope.
In scope:
- Vulnerabilities introduced by code in this repository
- Supply-chain risks caused by how this repository consumes or distributes its own code (e.g. insecure Github Actions)
Out of scope:
- Issues only present in third-party dependencies (please report those upstream)
- Issues that can only be exploited when the underlying platform (browser, server runtime) is compromised
- Using untrusted user content without sanitization in places that are not explicitly sanitized by the framework (for example in Svelte putting user content into
{@html ...}is unsanitized,{...}is sanitized insofar as the content cannot alter the HTML structure to e.g. insert script tags) - Denial of service via excessive legitimate use
Please keep reports private until a fix is released and a Security Advisory is public.