Except for versions 3.3 and prior, the last three minor releases of the most recent major version are supported.
| Version | Supported Until | Support Status |
|---|---|---|
| 3.4 | 3.7 or 4.0 is released | ✅ Supported |
| 3.0 – 3.3 | ❌ Unsupported | |
| < 3.0 | ❌ Unsupported |
If you find a vulnerability in jshiki, please get in touch with Adaline at adalinesimonian@gmail.com. Provide the following information:
- The version of jshiki affected by the vulnerability (e.g. 3.4.0)
- The type of vulnerability (e.g. buffer overflow)
- Detailed steps to reproduce the vulnerability
- Proof-of-concept or exploit code
- The potential impact of the vulnerability
When a vulnerability is reported, or if we discover a security issue, we will:
-
Investigate the issue and verify that the alleged vulnerability is exploitable.
-
If the vulnerability is validated, we will determine whether or not the vulnerability has already been addressed or if an existing mitigation is available.
-
If the vulnerability has not yet been addressed, we will classify the vulnerability as a critical, high, medium, or low-severity issue, which will determine the response time and mitigation plan.
If a third party reported the vulnerability, we will communicate and work with the reporter throughout the response process.
The response to the vulnerability depends on its severity:
| Severity | Response |
|---|---|
| Critical vulnerabilities can be easily exploited by an unauthorised user to gain elevated privileges on the targeted system. Successful exploitation completely compromises data or application security, integrity, or availability. | Immediate response: We will immediately take action and fix the vulnerability as promptly as possible in a patch release. |
High-severity vulnerabilities:
|
Expedited response: We will take action to fix the vulnerability as quickly as possible and release a fix in a patch release. |
| Moderate-severity vulnerabilities require more specific circumstances to be exploited, such as a certain configuration or factor in the environment, but can still be abused to compromise system or application integrity or availability. | Standard response: We will release a fix in the next major or minor release. |
| Low-severity vulnerabilities either have a minimal impact on application and data security or have significant hurdles that must be overcome before they can be exploited. | Standard response: We will release a fix in the next major or minor release. |