middag-io/framework is in a pre-1.0 alpha (0.x) phase. Only the newest release receives security fixes — there are no long-term support branches, and upgrading to the latest 0.x minor is the supported remediation path.

During the 0.x series the public API may still change. We recommend tracking the latest release so you receive security and bug fixes promptly.

If you discover a security vulnerability, please report it privately by email to michael@middag.io.

Do not open public GitHub issues, pull requests, or discussions for security problems. Public disclosure before a fix is available puts all users at risk.

Please include as much detail as you can:

• A description of the vulnerability and its potential impact.
• Steps to reproduce, or a proof of concept.
• Affected version(s) and any relevant environment details.

• Acknowledgement: We aim to acknowledge your report within a few business days.
• Coordinated disclosure: We follow responsible (coordinated) disclosure. We will work with you to understand and address the issue before any public disclosure, and we ask that you keep the report confidential until a fix has been released.
• Credit: If you would like recognition for your report, we are happy to credit you once the issue is resolved. Let us know your preference.

Thank you for helping keep middag-io/framework and its users safe.