Only the latest release receives security fixes. We do not backport patches to older versions.
| Version | Supported |
|---|---|
| latest | Yes |
| older | No |
Please do not open a public GitHub issue for security vulnerabilities.
Use GitHub's built-in private reporting:
- Go to the Security tab of this repository.
- Click "Report a vulnerability".
- Fill in the details and submit.
A maintainer will acknowledge the report within 48 hours and aim to release a fix within 14 days, depending on severity and complexity. You will be notified of progress throughout.
A useful report includes:
- A clear description of the vulnerability and its potential impact.
- Steps to reproduce (a minimal reproduction is ideal).
- The version(s) affected.
- Any suggested fix or mitigation, if you have one.
| In scope | Out of scope |
|---|---|
The tsgonest CLI binary |
Third-party dependencies (report upstream) |
@tsgonest/runtime npm package |
The typescript-go submodule (report to Microsoft) |
@tsgonest/types npm package |
Vulnerabilities in test fixtures |
| The release / CI pipeline |
We follow responsible disclosure. We ask that you give us reasonable time to address the issue before any public disclosure. We will credit reporters in the release notes unless you prefer to remain anonymous.