Please do not report security vulnerabilities through public GitHub issues.

Try to get in touch with the main maintainer by email at im[at]kdy.ch (PGP) if possible with [SECURITY] prefixed in the subject line.

You should expect a reply within 24 hours. If for some reason it does not happen, please follow up again via email or try to notify me on an another platform that I should have recieved an email from you.

Please prefer to use English and include as much information as possible, including:

• Version(s) tested
• Full path to the file(s) being the cause of the report
• The tested environnement (i.e. the OS and its version, NodeJS version)
• Special configuration used, if any
• A proof-of-concept or the code used for exploitation, if possible
• Explanation of the impact and how an attacker can run an exploit

Please note that we do not provide any bug-bounty at the moment.