For all repositories in the PHPCompatibility organisation, the latest patch version of the current major is supported for security updates.
Security patches may be backported to a previous major branch for up to a year after the last (non-security) release for that major.
All packages in the PHPCompatibility organisation are developer tools and should generally not be used in a production (web accessible) environment.
Having said that, responsible disclosure of security issues is highly appreciated.
Please do not report or discuss security vulnerabilities through public GitHub issues, discussions, or pull requests.
Issues can be reported privately to the maintainers by opening a Security vulnerability report in the appropriate repository.
- Please provide detailed reports with reproducible steps and a clearly defined impact.
- Include the version number of the vulnerable package in your report.
- Fixes are most welcome. A private PR can be created from the security report to work on and discuss the patch.