We take security issues seriously and will address them promptly. The table below shows which versions of the project are currently supported with security updates:

| 4.0.x | ✅ | | < 4.0 | ❌ |

If you discover a security vulnerability, please report it by following the process below:

1. Do not open a public issue. Instead, send an email to [email protected] with the following details:

   • A description of the vulnerability.
   • Steps to reproduce the vulnerability.
   • Any potential fixes or workarounds you are aware of.
   • The impact or potential impact of the vulnerability.

2. We will acknowledge receipt of your email within 48 hours and work with you to understand the severity and impact of the issue.

3. We aim to resolve critical security issues within 72 hours. Non-critical issues may take longer, depending on their complexity and severity.

4. After the vulnerability is resolved, we will coordinate with you on a public disclosure, if applicable. Your name or handle may be included in the security advisory if you wish.

When a security update is made, it will be noted in the project’s release notes and included in the next regular release. If the issue is critical, a patch release will be made as soon as possible.

Security updates are backported to the last minor release for each major version that is still supported. For example, if a vulnerability is discovered in version 2.3.1, the fix will be applied to 2.3.2, and if necessary, to 2.2.x as well.

To maintain security while using this project, please follow these best practices:

• Always use the latest supported version of the project.
• Regularly audit your dependencies and their versions for security issues.
• Limit access to sensitive data and environments.
• Keep your environment (e.g., servers, databases) updated with the latest security patches.
• Monitor logs and set up alerts for unusual activities.

If you have any questions about this security policy or how we handle security issues, feel free to contact us at [email protected].