Security updates are applied only to the most recent releases.
To securely report a vulnerability, please open an advisory on the affected GitHub repository. All repositories allow reporting vulnerabilities by clicking on the "New Issue" button.
- Your report will be acknowledged within two business days.
- The team will investigate and update the issue with relevant information.
- If the TSC does not confirm the report, no further action will be taken and the issue will be closed.
- If there is consensus on the TSC that this is a security risk for users, the TSC will take action to fix it immediately:
- Commits will be handled in a private repository for review and testing.
- Release a new patch version from the private repository.
- Issue a security advistory through GitHub.
- Write a blog post about the vulnerability.
- Notify Tidelift about the vulnerability.
If you do not receive an acknowledgement of your report within six business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at [email protected].
If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.
Security advisories are only issued when a confirmed vulnerability can be exploited by a non-local actor. Because ESLint and its related packages are primarily used as development dependencies on local machines, there are no security concerns related to regular expression performance or other problems that could bring down a public-facing server. These issues should be filed as bug reports instead of advisories.