Security Reporting
Do not publish sensitive security reports in public issues.
What counts as sensitive
Use a private maintainer channel for reports involving:
- Authentication or authorization bypass.
- Token, cookie, or session exposure.
- Private API credentials.
- Cross-site scripting or unsafe rendering.
- Package supply-chain concerns.
- A vulnerability that affects production users.
What to include
Include enough detail for maintainers to reproduce the issue safely:
- A short summary.
- Affected package and version.
- Minimal reproduction steps.
- Expected security boundary.
- Actual behavior.
- Whether the issue is public, private, or already exploited.
- Suggested mitigation, if known.
What not to include
Do not include:
- Live access tokens.
- Seed phrases.
- Private keys.
- Customer data.
- Production-only exploit scripts.
Use sanitized examples wherever possible.