Please report security issues privately via GitHub Security Advisories. Do not open public GitHub issues for vulnerabilities.
We aim to acknowledge reports within 5 working days and to coordinate a fix and disclosure timeline with you.
Only the latest minor of each major is supported with security fixes.
| Package | Supported |
|---|---|
@tumaet/apollon (npm) |
4.x |
| Standalone Docker images (server + webapp) | latest vX.Y.Z |
tumaet.apollon-vscode (VS Marketplace / Open VSX) |
latest published |
Older majors are end-of-life and will not receive backports.
In scope:
@tumaet/apollonlibrary code and its public API.- The standalone server (
standalone/server) and webapp (standalone/webapp). - The VS Code extension (
vscode-extension).
Out of scope:
- Third-party services the deployment connects to (e.g., Artemis instances).
- Self-XSS that requires a privileged user to paste an attacker-controlled payload into a diagram body inside the same browser session.