Reporting Security Issues
Security issues must be handled with proper care, since they can have a serious impact on existing the applications using AdonisJS. You must not report security issues on Github and always email us at [email protected].
Once you have submitted an issue via email, you should receive an acknowledgment within 48 hours, and depending on the action to be taken, you may receive further followup emails.
At the time of security disclosure, AdonisJS will publish a new patch release. We will also publish security patches for last 2 minor versions. For example:
If the current version is
v5.4.2, then we will also publish the patch for
After the fix has been applied, we will publish the new releases to the npm registy without making any public announcements. The security vulnerability is only disclosed only after 7 days of publishing the fix.