Security fixes are currently provided for the latest code on the main branch.
| Version | Supported |
|---|---|
main |
✅ |
| older snapshots/tags | ❌ |
Please do not open public issues for security vulnerabilities.
Use one of the private channels below:
- GitHub Security Advisories (preferred): open a private vulnerability report in the repository.
- If advisories are unavailable, contact maintainers directly through private repository contact channels.
Please include as much detail as possible:
- affected area and impact
- reproduction steps or proof of concept
- environment details (local, preview, Cloudflare runtime)
- suggested mitigation (optional)
- Initial acknowledgment: within 72 hours
- Triage decision: within 7 days
- Fix timeline: depends on severity and complexity, shared during triage
- Never commit real credentials in
.env,.dev.vars, or source files. - Rotate keys immediately if a secret leak is suspected.
- Keep Cloudflare, OAuth, JWT, and email provider credentials scoped to least privilege.
After a fix is available, maintainers may publish a summary including impact, affected versions, and mitigation guidance.