Security support is currently scoped to the actively supported runtime targets for this project:
- Node.js
18.xand newer - modern browsers with native
fetch,Request,Response,Headers,URL, andAbortController
Legacy runtimes, polyfill-driven environments, and unsupported platform shims are out of scope.
Please do not open a public GitHub issue for a suspected security vulnerability.
Instead, use GitHub's private vulnerability reporting for this repository:
- Open the repository on GitHub.
- Go to the
Securitytab. - Use the private vulnerability reporting flow to submit the report.
Please include:
- a short description of the issue
- the affected versions or commit range if known
- reproduction details or a proof of concept
- any suggested remediation if available
The goal is coordinated disclosure:
- acknowledge receipt promptly
- confirm severity and impact
- prepare and validate a fix before public disclosure when feasible
- publish remediation guidance once a fix or mitigation is ready
This package is intentionally designed to reduce attack surface:
- zero runtime dependencies
- no lifecycle scripts
- no built-in telemetry
- no hidden network behavior beyond the caller's request
- a narrow public API and explicit runtime support policy
These choices reduce risk, but they do not eliminate the need for careful review, secure release practices, and responsible disclosure.