| Version | Supported |
|---|---|
| 1.x | Yes |
| 0.16.x | No |
Please do not open a public GitHub issue for security reports.
Email security concerns to the maintainers of @ekz/packer (see npm maintainer contacts or your internal security channel). Include:
- Package and version affected
- Steps to reproduce
- Impact assessment if known
We aim to acknowledge reports within a few business days and will coordinate a fix and release before public disclosure when appropriate.
@ekz/packer and @ekz/eslint-config-packer are published from GitHub Actions using npm trusted publishing (OIDC). Releases use yarn npm publish (via scripts/release.mjs) so Yarn resolves workspace: dependencies before upload; changeset publish alone would publish broken workspace:^ ranges.
Verify provenance on npm when installing.
- Dependabot opens weekly grouped update PRs for npm and GitHub Actions (minor/patch, major, and security advisories batched per ecosystem).
- Minor, patch, and security Dependabot PRs are auto-merged when CI and dependency review pass (see dependabot-automerge.yml); major updates require manual review.
- Pull requests run dependency review and block merges that introduce high or critical vulnerabilities.
- Yarn enforces a 7-day minimum package age for newly published npm versions (
.yarnrc.yml).