Skip to content

Security: JosephMaynard/dependency-radar

Security

SECURITY.md

Security Policy

Supported Versions

Dependency Radar is an actively developed project and security fixes are applied to the latest released version.

At the moment, only the most recent release is considered supported for security issues.

Version Supported
Latest release Yes
Older releases No

Reporting a Vulnerability

Please do not open a public GitHub issue for suspected security vulnerabilities.

If you believe you have found a security issue in Dependency Radar, please report it privately by emailing:

magicaltrailsapp@gmail.com

Please include as much detail as you can, for example:

  • a description of the issue
  • steps to reproduce it
  • the version of Dependency Radar affected
  • the impact you believe it may have
  • any proof of concept or logs that would help reproduce it safely

You can encrypt your report if needed. If you want to use encrypted email, mention that in your initial message and we can arrange a suitable method.

What to Expect

I will aim to:

  • acknowledge receipt of your report within 5 working days
  • assess and triage the report as quickly as possible
  • keep you informed of the outcome where practical
  • coordinate a fix and release before public disclosure where appropriate

Scope

This policy covers security issues in:

  • the Dependency Radar CLI
  • the report generation code
  • the report UI bundled into the generated artifact
  • the official project repository and published npm package

It does not cover:

  • vulnerabilities in third party dependencies outside Dependency Radar’s own code
  • general usage questions or feature requests
  • reports that only concern a scanned project’s own dependencies rather than Dependency Radar itself

Disclosure

Please allow reasonable time for investigation and remediation before making any public disclosure.

If a report is accepted as a genuine security issue, I may credit the reporter in release notes or documentation, unless you would prefer to remain anonymous.

There aren't any published security advisories