We are currently providing security updates to the following http4s core versions:
| Version | Supported |
|---|---|
| 1.x | ✅ |
| 0.23.x | ✅ |
| 0.22.x | ❌ |
| 0.21.x | ❌ |
| 0.20.x | ❌ |
| 0.19.x | ❌ |
| 0.18.x | ❌ |
| < 0.18 | ❌ |
For other repos in the http4s org on different release cycles, see their documentation.
To report a security issue, please use one of the following methods:
- Navigate to the "Security and quality" tab at the top of the relevant repository, click the "Report a vulnerability" button, and complete the form as much as possible.
- Email the Security Team with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
The Security Team will attempt to respond within 3 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.
- A GitHub Security Advisory will be created in the appropriate repository.
- A project member works privately with the reporter to resolve the vulnerability.
- The project creates a new release of the package the vulnerabilty affects to deliver its fix.
- The project publicly announces the vulnerability and describes how to apply the fix.
We strongly recommend users of our libraries to use Scala Steward or something similar to automatically receive updates.
| name | PGP public key | |
|---|---|---|
| Ross A. Baker | ross@rossabaker.com | 0x975BE5BC29D92CA5 |
| Arman Bilge | arman@typelevel.org | 0xA335B107E9282548 |
| Erlend Hamnaberg | ||