The current maintained minor line receives security fixes. Older minor lines may receive fixes only when a low-risk backport is practical.
| Version | Supported | Notes |
|---|---|---|
| 1.1.x | Yes | Actively maintained. |
| 1.0.x | No | Deprecated; upgrade recommended. |
| < 1.0 | No | Unsupported pre-release versions. |
Do not report security vulnerabilities through public GitHub issues.
Use GitHub private vulnerability reporting from the repository Security tab, or open a private repository security advisory if you are a maintainer. Include:
- affected versions and environment details;
- reproduction steps or proof-of-concept code;
- expected impact and severity;
- any known mitigations or workarounds.
We aim to acknowledge valid reports promptly, coordinate fixes privately when needed, and publish an advisory or release notes when disclosure is appropriate.
The default project checks are:
- Composer validation and dependency audit;
- PHPCS coding-standard checks;
- PHPStan static analysis;
- Psalm static analysis;
- Psalm taint analysis;
- PHPUnit regression tests;
- GitHub Actions workflow scanning with zizmor;
- OpenSSF Scorecard supply-chain checks.
Additional tools such as Qodana or SonarCloud may be used by maintainers, but they are not treated as required gates unless a workflow for them exists in this repository.
Before submitting a pull request, run:
composer qaSecurity-sensitive changes should include focused tests where practical, especially around input validation, query compilation, identity/permission checks, serialization, escaping, cryptography, file handling, and generated model/scaffolding behavior.