Skip to content

Security: flaglint/flaglint-js

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

Please report suspected vulnerabilities privately by opening a GitHub Security Advisory:

https://github.com/flaglint/flaglint-js/security/advisories/new

If GitHub advisories are unavailable, email the maintainer listed on the npm package page with the following details:

  • Affected FlagLint version (run flaglint --version)
  • Steps to reproduce
  • Observed impact

Do not open a public GitHub issue for a security vulnerability until it has been triaged and a fix is available.

Maintainers aim to acknowledge reports within 5 business days and to publish a patch release for confirmed vulnerabilities as soon as practical.

Supported Versions

Security fixes are provided for the latest published version of FlagLint. Older versions are not actively patched — upgrade to the latest release.

Version Supported
Latest Yes
Older No

Reporting a False Positive or Unsupported Pattern

If FlagLint flags a call site it should not (false positive), or misses a pattern it should detect (false negative), open a GitHub Issue with a minimal reproduction:

https://github.com/flaglint/flaglint-js/issues/new?template=unsupported_pattern.yml

Include the source snippet, the FlagLint version, and the command you ran. Label the issue false-positive or unsupported-pattern.

Scope

FlagLint is a local static-analysis CLI. It reads source files from the directory you point it at and writes reports or transformed files to disk. No source code is transmitted to FlagLint-owned infrastructure.

See docs/trust.md for a full trust and provenance statement.

There aren't any published security advisories