Only the latest major release receives security fixes. All earlier major versions are unsupported and will not be patched.
The latest major version is whatever is currently published on Packagist — upgrade to it to stay on a supported release.
Please do not open a public GitHub issue for security vulnerabilities.
Use GitHub Private Vulnerability Reporting to submit a report confidentially. This keeps the details private until a fix is available and integrates directly with GitHub's security advisory workflow.
Include as much of the following as possible:
- A description of the vulnerability and its potential impact
- Step-by-step reproduction instructions or a proof-of-concept
- Affected versions
- Any suggested mitigations
| Milestone | Target |
|---|---|
| Acknowledgement | Within 5 business days |
| Fix or mitigation plan (critical / high) | Within 30 days |
| Fix or mitigation plan (medium / low) | Within 90 days |
We will keep you informed of progress throughout the process.
We follow coordinated disclosure:
- The vulnerability is confirmed and a fix is developed in private.
- A patched release is published.
- The GitHub security advisory is made public after the release.
Reporters are credited in the published advisory unless they prefer to remain anonymous. Please let us know your preference when submitting.