Only the latest released version on the current major receives security updates. Older majors and older patch releases within the current major do not receive backports. Pin to a SHA in production (see README).
| Version | Supported |
|---|---|
Latest release on the current major (e.g. newest v1.y.z) |
Yes |
Older v1.y.z releases |
No |
Older majors (e.g. v0.x) |
No |
Do not open a public issue for security vulnerabilities.
Use GitHub's private vulnerability reporting. Acknowledgement target: 72 hours.
Include:
- Affected version (tag or SHA).
- Reproduction steps or proof-of-concept.
- Impact assessment (confidentiality / integrity / availability).
- Suggested fix, if any.
This action is a thin composite wrapper around the upstream stac-check CLI. Vulnerabilities in stac-check itself should be reported to the stac-utils project.
In scope here:
- Shell argument construction and injection vectors.
- Permission escalation paths.
- Secret exposure.
- Supply chain (action SHA pinning, dependency declarations).
Coordinated disclosure preferred. Embargo period negotiable based on severity.