Dependency Radar is an actively developed project and security fixes are applied to the latest released version.
At the moment, only the most recent release is considered supported for security issues.
| Version | Supported |
|---|---|
| Latest release | Yes |
| Older releases | No |
Please do not open a public GitHub issue for suspected security vulnerabilities.
If you believe you have found a security issue in Dependency Radar, please report it privately by emailing:
Please include as much detail as you can, for example:
- a description of the issue
- steps to reproduce it
- the version of Dependency Radar affected
- the impact you believe it may have
- any proof of concept or logs that would help reproduce it safely
You can encrypt your report if needed. If you want to use encrypted email, mention that in your initial message and we can arrange a suitable method.
I will aim to:
- acknowledge receipt of your report within 5 working days
- assess and triage the report as quickly as possible
- keep you informed of the outcome where practical
- coordinate a fix and release before public disclosure where appropriate
This policy covers security issues in:
- the Dependency Radar CLI
- the report generation code
- the report UI bundled into the generated artifact
- the official project repository and published npm package
It does not cover:
- vulnerabilities in third party dependencies outside Dependency Radar’s own code
- general usage questions or feature requests
- reports that only concern a scanned project’s own dependencies rather than Dependency Radar itself
Please allow reasonable time for investigation and remediation before making any public disclosure.
If a report is accepted as a genuine security issue, I may credit the reporter in release notes or documentation, unless you would prefer to remain anonymous.