Spotlight Rules takes security seriously — staying current on dependencies and responding quickly to vulnerabilities is a core goal of the project.

Please do not open a public issue for security vulnerabilities.

Report privately using GitHub's private vulnerability reporting ("Report a vulnerability" under the repository's Security tab), or email apicommons@gmail.com with details and, if possible, a reproduction.

You can expect:

• An acknowledgement within 3 business days.
• An assessment and, for confirmed issues, a remediation plan and timeline.
• Credit in the release notes once a fix is published, unless you prefer to remain anonymous.

Security fixes target the latest released 1.x of each package. Older versions are not maintained.

Dependencies are monitored with automated tooling (Dependabot) and npm audit. Security-relevant dependency updates are prioritized.