Please report security issues privately using the GitHub Security Advisory workflow (Security → “Report a vulnerability”).

Do not open a public GitHub issue for security problems.

We aim to acknowledge reports within 7 business days. If you do not receive an acknowledgement within 7 business days, forward your report to [email protected].

Confirmed vulnerabilities will be published as a GitHub Security Advisory (and assigned a CVE when applicable). Notices are also shared via:

• Node.js blog advisories: https://nodejs.org/blog/vulnerability/ when necessary.