AdonisJS takes security very seriously. We make sure that all security related issues are addressed and get fixed on priority.

Reporting Security Issues

Security issues must be handled with proper care, since they can have a serious impact on existing the applications using AdonisJS. You must not report security issues on Github and always email us at [email protected].

Once you have submitted an issue via email, you should receive an acknowledgment within 48 hours, and depending on the action to be taken, you may receive further followup emails.

Supported Versions

At the time of security disclosure, AdonisJS will publish a new patch release. We will also publish security patches for last 2 minor versions. For example:

If the current version is v5.4.2, then we will also publish the patch for v5.3.x and v5.2.x.

Disclosure Policy

After the fix has been applied, we will publish the new releases to the npm registy without making any public announcements. The security vulnerability is only disclosed only after 7 days of publishing the fix.