| Version | Supported |
|---|---|
| 0.0.x | Yes |
If you discover a security vulnerability, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email matt@matthesketh.pro with:
- Description of the vulnerability
- Steps to reproduce
- Affected package(s) and version(s)
- Potential impact assessment
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix timeline: Depends on severity, typically within 2 weeks for critical issues
We follow coordinated disclosure. Once a fix is released, we will:
- Publish a security advisory on GitHub
- Credit the reporter (unless anonymity is requested)
- Release patched versions of affected packages
This policy applies to all packages in the UtopiaJS monorepo:
@matthesketh/utopia-core@matthesketh/utopia-compiler@matthesketh/utopia-runtime@matthesketh/utopia-server@matthesketh/utopia-vite-plugin@matthesketh/utopia-router@matthesketh/utopia-email@matthesketh/utopia-aicreate-utopia