Hi,
I recently identified a security issue in jsdiff and wanted to report it through GitHub's Private Vulnerability Reporting feature, but it's not currently enabled on this repository.
I've reached out via email with the details (found via your public npm maintainer profile), but for future reports — from me or anyone else — PVR provides a secure, structured channel that:
- Keeps vulnerability details private until a fix is ready
- Lets you coordinate disclosure timelines with reporters
- Automatically generates GitHub Security Advisories (GHSAs) and CVEs when you're ready to publish
You can enable it in Settings → Code security → Private vulnerability reporting. More info: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Given jsdiff's download count (~397M/month) and dependent package count (4,153+), having a clear security reporting channel would benefit the entire ecosystem.
Thank you, truly, for maintaining this library!
Best,
Daniel Cervera
Hi,
I recently identified a security issue in jsdiff and wanted to report it through GitHub's Private Vulnerability Reporting feature, but it's not currently enabled on this repository.
I've reached out via email with the details (found via your public npm maintainer profile), but for future reports — from me or anyone else — PVR provides a secure, structured channel that:
You can enable it in Settings → Code security → Private vulnerability reporting. More info: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Given jsdiff's download count (~397M/month) and dependent package count (4,153+), having a clear security reporting channel would benefit the entire ecosystem.
Thank you, truly, for maintaining this library!
Best,
Daniel Cervera