Only the version currently deployed at https://shramko.dev is supported. There is no LTS branch.

Please do not open a public GitHub issue for security problems.

Two reporting channels, in order of preference:

1. GitHub private vulnerability advisory — preferred. Use the "Report a vulnerability" button on the Security tab.
2. Email: shramko.dev@gmail.com with subject Security: <one-line summary>.

• Acknowledgement within 7 days (best-effort, solo maintainer).
• Investigation timeline depends on severity. Critical issues that affect deployed code take priority.
• Credit in the fix commit / release notes if you'd like (mention in your report).

• Content under _posts/ and _snippets/ (not executable code).
• Missing security headers on demo or staging subdomains.
• Reports from automated scanners with no proof-of-concept.
• Issues in third-party services I integrate with (Vercel, Sentry, GitHub) — please report to the upstream vendor.

• GitHub native secret scanning is enabled (public repo, automatic).
• CodeQL default setup is enabled (repo Security tab) — runs on every push and PR.
• Dependencies are updated weekly via Renovate; pnpm audit runs in CI.