Any fixes for security vulnerabilities will be applied to a new release only, rather than retrospectively applied to previous releases.
The reason for this is that the label checker is a standalone GitHub Action with (purposefully) minimal dependencies and therefore very straightforward for consumers to update versions. It's recommended for consumers to pin to the major version of the label checker, so that they automatically get all new backwards compatible updates (major version updates will be extremely rare events, one every few years at most, and very possible less frequent even than that).
If a vulnerability is serious enough we may also apply it to previous major versions, but this is not guaranteed.
Our policy is for vulnerability reports to be reported privately. To report a new vulnerability:
- go to the repository's Security Advisories page
- click on
Report a vulnerability
Tips on creating a great vulnerability report
We welcome and appreciate vulnerability reports and will endeavour to respond very swiftly.