mirror of https://github.com/coder/code-server.git
1.7 KiB
1.7 KiB
Security Policy
The code-server team (and Coder, the organization) care a lot about keeping the project secure and safe for end-users.
Tools
We use a combination of tools to help us stay on top of vulnerabilities.
- dependabot
- Submits pull requests to upgrade dependencies. We use dependabot's version upgrades as well as security updates.
- code-scanning
audit-ci
- Audits npm and Yarn dependencies in CI (see "Audit for vulnerabilities" step in
ci.yaml
) on PRs into the default branch and fails CI if moderate or higher vulnerabilities(see theaudit.sh
script) are present.
- Audits npm and Yarn dependencies in CI (see "Audit for vulnerabilities" step in
Supported Versions
Coder sponsors development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report, and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.
Version | Supported |
---|---|
Latest | ✅ |
Reporting a Vulnerability
To report a vulnerability, please send an email to security[@]coder.com and our security team will respond to you.