If you discover a security vulnerability in ts-runtime-picker, please follow these steps to report it:
Please do not open a public issue in the repository. Instead, report the vulnerability privately.
Send a direct email to the maintainers at:
Alternatively, you can open a private issue in this repository with the label security and we will handle it privately.
When reporting a security vulnerability, please include:
- A detailed description of the vulnerability.
- Steps to reproduce the vulnerability.
- Sample code or relevant configuration files.
- Your environment details (e.g., Node.js version, operating system, etc.).
Once we receive the report, we will:
- Acknowledge your report and begin investigating the issue.
- Fix the vulnerability and release a patch version.
- Communicate the patch version and details to you before public disclosure.
- After the fix is live, we will update the documentation and changelog to notify users of the vulnerability and its resolution.
Our goal is to resolve security issues promptly. Once the patch is released, we will:
- Notify the reporter of the fix.
- Release a new version of the package with a security update.
- After the fix is live, we will disclose the issue and resolution in the changelog, without revealing sensitive details.
We recommend the following to secure your project when using ts-runtime-picker:
- Regularly update your dependencies to ensure you are using the latest versions, especially security patches.
- Consider using tools like Snyk or Dependabot to monitor vulnerabilities in dependencies.
ts-runtime-picker is licensed under the MIT License. See the LICENSE file for more details.