| Version | Supported |
|---|---|
| 1.x | Yes (active) |
| < 1.0.0 prereleases | No |
Always upgrade to the latest 1.x release to receive fixes.
- Do not open a public issue.
- Submit a private report via GitHub Security Advisories ("Report a vulnerability" button on the repo).
- Alternatively, email hello@varien.dev with detailed reproduction steps and impact.
- You will receive acknowledgement within 3 business days. We aim to provide a fix or mitigation plan within 14 days, depending on severity.
When a fix is available, maintainers will coordinate disclosure, publish a patched release, and document remediation steps in the changelog or release notes.