Compendium is pre-1.0. Only the latest released preview / stable line receives security fixes.
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Please do not open public issues for security vulnerabilities.
Report privately via GitHub Security Advisories. GitHub will notify the maintainers, and the advisory gives us a private channel to coordinate a fix before public disclosure.
When reporting, please include:
- The affected package(s) and version(s).
- A description of the vulnerability and its impact.
- Steps to reproduce, ideally a minimal repro repository or code snippet.
- Whether you'd like to be credited in the advisory once published.
- Acknowledgement within 5 working days.
- Triaged severity within 10 working days.
- Fix timeline communicated as soon as the issue is validated.
We cannot guarantee a specific fix SLA for this pre-1.0 phase, but we take reports seriously and will keep you updated.
Once a fix is released, the advisory is published with a CVE (if applicable), affected version range, patched version, and a credit to the reporter if consented.