Security fixes are considered for the latest released version of Stepper.
Stepper is distributed as source through the shadcn registry. Consumers copy the component into their own applications, so security impact can depend on local usage and customization.
Please do not open a public issue with exploit details.
Use GitHub private vulnerability reporting for this repository when available. If private reporting is not available, open a minimal issue asking for a private contact path and do not include sensitive details.
Helpful reports include:
- affected version or commit
- the vulnerable behavior
- a minimal reproduction or proof of concept
- expected impact
- suggested mitigation, if known
Accessibility bugs, rendering issues, documentation problems, and API design feedback should use the normal issue forms unless they expose a concrete security risk.