middag-io/framework is released on the 1.x line. Only the most recent
tagged release receives security fixes — there are no long-term support
branches, and upgrading to the latest release is the supported remediation
path.
| Version | Supported |
|---|---|
Latest 1.x release |
✅ |
| Older releases | ❌ |
The versioning policy (including how breaking changes ship during 1.x) is
documented in API-STABILITY.md. We recommend tracking
the latest release so you receive security and bug fixes promptly.
If you discover a security vulnerability, please report it privately by email to michael@middag.io.
Do not open public GitHub issues, pull requests, or discussions for security problems. Public disclosure before a fix is available puts all users at risk.
Please include as much detail as you can:
- A description of the vulnerability and its potential impact.
- Steps to reproduce, or a proof of concept.
- Affected version(s) and any relevant environment details.
- Acknowledgement: We aim to acknowledge your report within a few business days.
- Coordinated disclosure: We follow responsible (coordinated) disclosure. We will work with you to understand and address the issue before any public disclosure, and we ask that you keep the report confidential until a fix has been released.
- Credit: If you would like recognition for your report, we are happy to credit you once the issue is resolved. Let us know your preference.
Thank you for helping keep middag-io/framework and its users safe.