Resortable is in active pre-1.0 development. Only the latest published version on the main branch receives security fixes.

Please do not open public GitHub issues for security vulnerabilities.

Report security issues privately using GitHub's private vulnerability reporting feature. An advisory draft will be created and you'll be invited as a collaborator.

For each report, please include:

• A description of the issue and its potential impact
• Reproduction steps (or a minimal failing snippet)
• The affected version(s) of Resortable
• Any suggested remediation, if you have one

• An acknowledgment within 72 hours of report
• An assessment of the report within 7 days, including whether it qualifies as a security issue and an estimated fix timeline
• For confirmed issues, a fix in the next patch release plus a published advisory crediting you (unless you prefer to remain anonymous)

In scope:

• Vulnerabilities in dist/ build outputs published to npm
• XSS / DOM-injection risks via library APIs
• Prototype pollution, code injection, or privilege escalation paths
• Supply-chain risks introduced by dependencies declared in package.json

Out of scope:

• Issues in the legacy-sortable/ submodule (report those upstream at SortableJS/Sortable)
• Vulnerabilities in development dependencies that don't affect the published dist/ bundle (those are still tracked via npm audit and the Dependabot configuration, but aren't security advisories)
• Drag-and-drop UX behaviors users find confusing — report those as regular issues