| Package | Version | Supported |
|---|---|---|
| @opensourceframework/next-csrf | >= 1.0.0 | ✅ |
| @opensourceframework/next-images | >= 1.0.0 | ✅ |
| @opensourceframework/critters | >= 1.0.0 | ✅ |
Given that we maintain security-critical packages like next-csrf, we take security seriously:
- Regular dependency audits - Automated scanning for vulnerable dependencies
- Code review - All changes require review before merge
- Automated testing - Security-related tests in CI pipeline
- Responsible disclosure - Private reporting before public disclosure
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them through GitHub Security Advisories:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Fill out the form with details about the vulnerability
- Description of the vulnerability
- Steps to reproduce
- Affected package and version(s)
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: Within 7 days
- High: Within 14 days
- Medium: Within 30 days
- Low: Next scheduled release
When using our packages:
- Always use the latest supported version
- Review security advisories before upgrading
- Subscribe to GitHub Security Alerts
- Report any suspicious behavior
We appreciate responsible disclosure and will acknowledge security researchers who help keep our packages secure.