ev-flow follows Semantic Versioning. Security fixes are
released for the latest 3.0.x line.
| Version | Supported |
|---|---|
| 3.0.x | ✅ |
| < 3.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, use one of these private channels:
- GitHub Security Advisories (preferred). Open a private report via the repository's Security tab → Report a vulnerability. The advisory is visible only to you and the maintainers.
- Email. bertrand.travacca@gmail.com with
[ev-flow security]in the subject line.
Please include a description of the issue, the affected version(s), and steps to reproduce. You can expect an initial acknowledgement within 5 business days, and we will keep you updated as we work on a fix.
We follow coordinated disclosure: we will agree a fix and release timeline with you, and credit you in the advisory and CHANGELOG unless you prefer to remain anonymous. Please allow a reasonable window to ship a patch before any public disclosure.
ev-flow's CI continuously scans for known issues:
- Dependabot alerts + security updates on the dependency graph.
- pip-audit audits the runtime dependency closure against the PyPA advisory database on every push, pull request, and weekly.
- bandit runs static security analysis over
src/pev_synth/(gated on medium-or-higher severity).
These run in the security and ci GitHub Actions workflows. As a synthetic
data-generation library with no network services and no handling of user
secrets, ev-flow's runtime attack surface is small; the primary security
concern is the integrity of its dependency chain, which the above tooling
monitors.