Security fixes are prioritized for the latest release published to VS Code Marketplace and Open VSX.
Please do not report security vulnerabilities in public issues.
To report a vulnerability privately:
- Email: mdtanvirahamedshanto@gmail.com
- Subject: Security Report - Node.js Package Manager
- Include steps to reproduce, affected versions, and potential impact
You can expect:
- Initial acknowledgment within 72 hours
- Follow-up after triage with severity and next steps
- Coordinated disclosure once a fix is available
- Allow maintainers time to investigate and patch before public disclosure
- Avoid sharing proof-of-concept exploits publicly until a fix is released
- Provide enough technical detail for reliable reproduction