The latest tagged release on main is the only supported version. Older versions receive fixes only at the maintainers' discretion.
| Version | Supported |
|---|---|
| Latest tag | ✅ |
| Older tags | |
| Unreleased | ❌ |
Do not open a public GitHub issue for security reports.
Use GitHub's Private vulnerability reporting feature on this repo:
- Go to the Security tab.
- Click Report a vulnerability.
- Provide reproduction steps and an impact assessment.
You will get a response within 72 hours. If we accept the report, expect:
- An acknowledgement with a tracking handle.
- A fix branch and a draft release.
- Coordinated disclosure once a patched VSIX is published.
In scope:
- The VS Code extension code in this repository.
- The bundled
perception.em.predefined(information disclosure, schema poisoning). - The bundler script (
scripts/bundler.ts) — path traversal, arbitrary write. - The DAP attach handshake (denial of service, MITM).
Out of scope:
- Vulnerabilities in the Perception runtime itself — report to Perception.cx directly.
- Vulnerabilities in the Enma language compiler — report to the Enma team.
- Generic VS Code or
vscode-languageclientissues — report upstream.
Thanks for keeping the ecosystem safe.