Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
No change to code. This adds a security policy. Issue #1058
- Loading branch information
Showing
1 changed file
with
31 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# ShellJS Security Policy | ||
|
||
Thank you for reaching out regarding the security of the ShellJS module! Please | ||
note that this project is maintained on a best-effort basis, however I still | ||
intend to prioritize reviewing and addressing security issues. | ||
|
||
## Supported Versions | ||
|
||
I generally only support the latest ShellJS release (see | ||
https://www.npmjs.com/package/shelljs). My goal is to release security fixes as | ||
patch releases on top of whatever was most recently shipped. | ||
|
||
If breaking changes have already landed on the main development branch, I may | ||
apply the patch on the relevant release branch (ex. | ||
[`0.8-release`](https://github.com/shelljs/shelljs/commits/0.8-release) and | ||
create a new release from there. | ||
|
||
## Reporting a Vulnerability | ||
|
||
Please report security vulnerabilities to ntfschr@gmail.com. I should respond | ||
within a few days. Although it's not strictly required, it helps me out if you | ||
can include any proof of concept exploit code, suggested fix, etc. | ||
|
||
**Please do not publicly disclose the suspected vulnerability** until I have a | ||
chance to review your report. I'd like a chance to patch the code before the | ||
issue is known to the public. | ||
|
||
Please **only** use this email for security issues. It's also OK to use the | ||
email if you're legitimately unsure if this is a security issue (better safe | ||
than sorry). But for all other non-security issues, please use the GitHub issue | ||
tracker. |