Security fixes apply to the latest stable tagged release of JOOservices React Components once v1.0.0 exists.
Until the first stable tag, treat the default branches as pre-release development.
Do not open public GitHub issues for suspected vulnerabilities.
Report security concerns privately to admin@jooservices.com with:
- a clear summary of the issue
- affected package path(s) and version(s) when known
- impact and expected risk
- reproduction details when available
Maintainers will acknowledge reports as soon as they can. Investigation and disclosure timeline depend on severity. No guaranteed SLA is promised.
This policy covers security issues in repository-managed behavior such as:
- component render and interaction paths that could enable XSS when used as documented
- dependency and CI configuration that affects consumers or repository integrity
- leaked secrets or credentials in the repository
Normal bugs, feature requests, and documentation improvements should use GitHub issues.