SECURITY.md version table is outdated — claims 0.0.x but package.json is v1.0.1

[dmchaledev]

Summary

The SECURITY.md file still references version 0.0.x in its "Supported Versions" table with the status "Incubation — not yet supported". However, the project has already been released as v1.0.1 (see package.json and npm).

This mismatch could cause confusion for users or security researchers who need to know whether a version is supported for security advisories.

Current state

SECURITY.md:

| Version | Status             |
| ------- | ------------------ |
| 0.0.x   | Incubation — not yet supported |

package.json:

"version": "1.0.1"

Suggested fix

Update the supported-versions table to reflect the current release:

| Version | Status                              |
| ------- | ----------------------------------- |
| 1.0.x   | Active development — best-effort    |

or, if v1.x is considered stable:

| Version | Status                         |
| ------- | ------------------------------ |
| 1.x     | Supported                      |

Additional findings

While reviewing the repo, I also noticed:

• The README and dev.to post mention "OpenTelemetry traces and metrics out of the box" but no OpenTelemetry implementation exists in the source code. This is a docs-to-implementation mismatch worth addressing.
• The CHANGELOG.md should be updated to reflect the v1.0.1 release (currently only has an Unreleased section).

Context

This was caught during an automated repository health scan. The project is otherwise healthy — CI is green, all 29 tests pass, and build/lint are clean.