If you discover a security vulnerability in xpm, please do not open a public issue. Instead, report it privately:
Email: x@xscriptor.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- You will receive an acknowledgment within 48 hours
- A fix will be developed and released as soon as possible
- You will be credited in the release notes (unless you prefer anonymity)
The following are in scope:
- Code execution vulnerabilities in xpm or xpm-core
- Package signature bypass or verification flaws
- Path traversal during package installation or extraction
- Privilege escalation during install/remove operations
- Dependency resolver manipulation
- Repository authentication bypass
- Supply chain issues
| Version | Supported |
|---|---|
Latest main |
✅ |
| Older releases | Best effort |