The Node Wire maintainers take the security of the project seriously. This document explains which versions receive security fixes and how to report a vulnerability responsibly.
Node Wire follows Semantic Versioning. Security fixes are
applied to the latest 1.x release and the main branch.
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do not open a public GitHub issue for security vulnerabilities.
Report suspected vulnerabilities privately through either of the following:
- GitHub Security Advisories — use the private vulnerability reporting form for this repository (preferred).
- Email — send details to security@aot-technologies.com.
When reporting, please include as much of the following as you can:
- A description of the vulnerability and its potential impact.
- The component or file involved (e.g. a connector, binding, or runtime module).
- Steps to reproduce, including a minimal proof of concept if available.
- The version, commit, or deployment configuration affected.
- Acknowledgement within 3 business days of your report.
- An initial assessment and severity triage within 10 business days.
- Coordinated disclosure: we will work with you on a fix and a public disclosure timeline, and credit you in the advisory unless you prefer to remain anonymous.
Please give us a reasonable opportunity to remediate the issue before any public disclosure.
This policy covers the code in this repository: the runtime, connectors, and bindings. Vulnerabilities in third-party dependencies should be reported to the relevant upstream project; if a dependency issue affects Node Wire users, we still welcome a heads-up so we can pin or patch accordingly.