Only the most recent minor of each @viscalyx/developer-mode-* package receives security fixes. Older minors are upgraded by bumping to the latest.

Please do not open a public GitHub issue for security problems.

Use GitHub's private security advisory flow to report a vulnerability. We acknowledge reports within five working days and aim to ship a fix within 30 days for confirmed issues.

When reporting, please include:

• The affected package and version.
• A minimal reproduction or proof of concept.
• Your assessment of impact (what an attacker can do).

Once a fix is released we publish a GitHub Security Advisory and credit the reporter (unless they prefer to remain anonymous).