The following versions of js2uri are currently supported with security updates:

For security vulnerabilities, please use private disclosure:

1. Preferred: Report via GitHub Security Advisories

   • Enables confidential, coordinated disclosure
   • Reporter receives recognition for discovery
   • Allows collaborative fix development before public announcement

2. Alternative: If you cannot use GitHub Security Advisories, create a private issue or contact the maintainer directly (see package.json for contact info)

Please do not report security vulnerabilities via public GitHub issues as this may put users at risk before a fix is available.

When reporting a vulnerability, please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Typically within 30 days for high/critical severity issues

• 2FA Required: All package maintainers must enable two-factor authentication on their npm accounts
• Automated Publishing: Packages are published from GitHub Actions using OIDC trusted publishing
  • Publishing triggered via GitHub Releases (on: release)
  • Uses OpenID Connect (OIDC) authentication - no long-lived tokens required
  • Provenance attestation provides cryptographic proof of build origin
  • Published packages can be verified at: npm view js2uri@<version> --json
  • Zero Dependencies: No supply chain to audit - eliminates transitive dependency vulnerabilities

• Signed Commits: All commits to the main branch must be GPG signed
• Code Review: All changes require review and approval before merging (via CODEOWNERS)
• Dependencies: Zero production dependencies eliminate dependency vulnerabilities
• Dependency Monitoring: Dependabot monitors for future dependency issues
• Lockfile Protection: npm ci validates package-lock.json integrity (fails if corrupted or mismatched)

The main branch has the following protections enabled:

• Pull Request Reviews: One CODEOWNERS approval required
• Dismiss Stale Reviews: Approvals dismissed on new commits
• Status Checks Must Pass:
  • CodeQL security analysis
  • Node.js 22.x build
  • Code linting

• GPG-Signed Commits: Mandatory for all commits
• Linear History: Merge commits prevented to maintain clean history

• Admin Enforcement: Branch protection rules apply equally to administrators
• Force Push Protection: Force pushes disabled
• Deletion Protection: Branch deletions disabled

The following GitHub security features are enabled:

• Vulnerability Alerts: Dependabot alerts for known vulnerabilities
• Automated Security Updates: Dependabot automatically creates PRs for security fixes
• Secret Scanning: Detects exposed credentials and tokens
• Push Protection: Blocks commits containing secrets
• Private Vulnerability Reporting: Via GitHub Security Advisories

Users and consumers can verify the integrity of published packages:

# View provenance attestation and verify zero dependencies
npm view js2uri@<version> --json

# Verify zero production dependencies
npm view js2uri@<version> dependencies

Each release includes:

• GPG-signed commits and tags
• npm provenance attestation for build transparency
• Zero production dependencies (no supply chain to audit)
• Security audit results from CI pipeline