Security Policy

April 5, 2026 · View on GitHub

Supported Versions

Only the latest stable release receives security fixes.

VersionSupported
latest:white_check_mark:
older:x:

Reporting a Vulnerability

Please do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private Report a vulnerability feature. You will receive a response within 7 days, and a fix will be released as soon as possible depending on severity.

Supply Chain Security

  • SBOM — a Software Bill of Materials in CycloneDX format (JSON and XML) is attached to every release as sbom.cyclonedx.json / sbom.cyclonedx.xml.
  • License report — a full dependency license inventory (licenses.csv / licenses.md) is also attached to every release.
  • Trusted Publishing — packages are published to PyPI via OIDC Trusted Publishing, without storing long-lived API tokens.