| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability, please report it by:
- Do not open a public GitHub issue
- Email security concerns to the maintainers
- Or use GitHub's private vulnerability reporting
We will respond within 48 hours and work with you to understand and address the issue.
| Field | Value |
|---|---|
| Status | Won't fix - vendor declined remediation |
| Severity | High (CVSS 7.0) |
| Package | npm@11.9.0 (pinned via resolution, includes tar fix) |
| Impact | Development only - not in production bundle |
| Tracking | #87 |
Root cause: Insecure module loading - npm loads modules from unsecured locations.
Vendor response: npm maintainers declined to fix, claiming the behavior is "by design". ZDI published as 0-day on 2026-01-12 after vendor refusal.
Risk assessment: This is a development dependency used only for CI/CD publishing. Exploitation requires:
- Local code execution on target machine
- Ability to place malicious modules in npm's search path
- User to run npm commands
Production users are not affected - this package is not in the production bundle.
Action: Dependabot alert dismissed as tolerable risk. No patch expected from upstream.