| Version | Supported |
|---|---|
| 1.3.x | Yes |
| 1.2.x | Yes |
| 1.1.x | No |
| 1.0.x | No |
| < 1.0 | No |
Please report security issues privately using GitHub private vulnerability reporting:
If private reporting is unavailable, contact maintainers via repository security contact channels.
- Initial acknowledgment: within 48 hours
- Initial assessment: within 7 days
Include the following details in your report:
- A clear description of the vulnerability
- Reproduction steps or a proof of concept
- Potential impact and affected surfaces
Please do not open public GitHub issues for security vulnerabilities.
This policy covers:
- VS Code extension behavior, including webview rendering and local file handling
- MCP server behavior, including stdio transport and file operations
- npm package supply chain and release artifacts