Security updates are provided for the following versions of apm.
| Version | Supported |
|---|---|
| 3.x.x | ✅ |
| < 3.0.0 | ❌ |
If you discover a security vulnerability, please report it responsibly.
Preferred: GitHub Security Advisories (private report)
Alternative: Open a minimal public issue asking for a private contact channel, or contact the maintainers listed in package.json.
Please do not disclose security issues in public issues with full exploit details before a fix is available.
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Impact assessment (if known)
- Acknowledgement: within 7 days
- Status update: within 30 days, or an explanation of delay
- Fix: coordinated disclosure after a patch release when possible
We appreciate responsible disclosure and will credit reporters in the release notes when appropriate.
apm allows users to configure custom package data URLs in settings. Pointing apm at an untrusted mirror can expose you to malicious package metadata or downloads. Use only sources you trust. Integrity checks (SSRI) reduce but do not eliminate this risk.
apm is tested primarily on Windows. Builds for macOS and Linux are provided without a support guarantee. Security fixes target Windows behavior first.