Only the latest published version on crates.io receives security fixes. We do not backport to older versions.

Please do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private vulnerability reporting: Report a vulnerability

Include:

• A clear description of the vulnerability and its impact
• Steps to reproduce or a minimal proof-of-concept
• The affected crate(s) and version(s)
• Any suggested fix if you have one

We aim to acknowledge reports within 3 business days and to publish a fix and advisory within 30 days for confirmed vulnerabilities. We will credit reporters in the advisory unless you request otherwise.

This policy covers the swink-agent workspace crates published to crates.io. Vulnerabilities in upstream dependencies should be reported to those projects directly; we will update our dependency on a fixed version as promptly as possible.