| Version | Supported |
|---|---|
| 1.4.x | ✅ |
| < 1.4 | ❌ |
Please report security vulnerabilities privately via:
- GitHub Security Advisory: Use the "Report a vulnerability" tab on this repository
Do not file public issues for security vulnerabilities.
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Fix timeline: Depends on severity; critical issues targeted within 30 days
- Zero dependencies — eliminates supply-chain attack surface
- Signed commits — all commits SSH-signed; branch protection enforces this
- 2FA on npm — publishing requires OTP or granular token. Note: bypass-2fa granular tokens are deprecated and will lose direct publish capability in January 2027. Plan to migrate to trusted publishing (OIDC) before then.
- Provenance —
publishConfig.provenance: truefor CI publishes (GitHub OIDC) - Minimal runtime — pure Node.js >=24, no native bindings
- No install lifecycle scripts — git hooks are installed explicitly with
npm run install-hooks