jack follows a rolling-release model: only the latest released version is supported and gets security fixes. There are no long-term maintenance branches for older releases.

Staying up to date is intentionally simple — security patches ship as ordinary releases, so staying secure just means bumping to the most recent version tag. If you're on the latest tag, you have all the fixes.

Please do not open a public issue for security vulnerabilities.

Instead, report them privately through GitHub's Security Advisories:

👉 https://github.com/roziscoding/jack/security/advisories

That keeps the issue private until there's a fix ready to disclose.

When you report, it helps to include:

• A clear description of the vulnerability and its potential impact
• Steps to reproduce, or a proof of concept
• The affected version and your environment, where relevant

• I'll acknowledge new reports as soon as I can, and keep you posted as I look into it.
• Once I have a fix, I'll ship it as a new release and disclose the advisory publicly — and I'll credit you unless you'd rather stay anonymous.

Thanks for helping keep jack and its users safe.