Only the latest version of the libraries are supported.
| Version | Supported |
|---|---|
| 2.3.0 | ✅ |
| <= 2.2.0 | ❌ |
To report a vulnerability you can use GitHub's private vulnerability reporting or via email to [email protected].
I will try to acknowledge your email within 48 hours, but please keep in mind this is a "spare-time" project. After the initial reply to your report, the security I will endeavor to keep you informed of how a fix is progressing and when you can expect it to be delivered. I may ask for additional information on the bug.
Please reproduce your bug on the latest supported version published on nuget.org
When diagnosing and fixing a security bug the process is as follows:
- Confirm the problem and determine the affected versions.
- Audit code to find any potential similar problems.
- Prepare fixes for the latest released package.
- Build and test fixes in private.
- Release to nuget after successful testing.
- Create advisory so dependabot and others will start notifications.
I would prefer report remain confidential until a fix is released, or I decide it is not an issue, but I acknowledge that some have other feelings about disclosure policies.