Until a 1.0 release, security fixes land on the latest published minor and are
not backported to earlier 0.x versions.
| Version | Supported |
|---|---|
| 0.13.x | ✅ |
| < 0.13 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue:
- Do not open a public GitHub issue
- Email security concerns to the maintainers via GitHub's private vulnerability reporting
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Patch target: Within 90 days
We use cargo audit in CI to scan for known vulnerabilities in dependencies.
We use gitleaks in CI to detect accidentally committed secrets, API keys, and credentials.