Skip to content

Security: erkez/packer

Security

SECURITY.md

Security policy

Supported versions

Version Supported
1.x Yes
0.16.x No

Reporting a vulnerability

Please do not open a public GitHub issue for security reports.

Email security concerns to the maintainers of @ekz/packer (see npm maintainer contacts or your internal security channel). Include:

  • Package and version affected
  • Steps to reproduce
  • Impact assessment if known

We aim to acknowledge reports within a few business days and will coordinate a fix and release before public disclosure when appropriate.

Release integrity

@ekz/packer and @ekz/eslint-config-packer are published from GitHub Actions using npm trusted publishing (OIDC). Releases use yarn npm publish (via scripts/release.mjs) so Yarn resolves workspace: dependencies before upload; changeset publish alone would publish broken workspace:^ ranges.

Verify provenance on npm when installing.

Dependency updates

  • Dependabot opens weekly grouped update PRs for npm and GitHub Actions (minor/patch, major, and security advisories batched per ecosystem).
  • Minor, patch, and security Dependabot PRs are auto-merged when CI and dependency review pass (see dependabot-automerge.yml); major updates require manual review.
  • Pull requests run dependency review and block merges that introduce high or critical vulnerabilities.
  • Yarn enforces a 7-day minimum package age for newly published npm versions (.yarnrc.yml).

There aren't any published security advisories