This is just the start. We’re also working on a deeper security initiative to strengthen Yeoman for the long haul. If you’re curious or want to contribute, check out the discussion here.
We’re not just dusting off old code. As part of our Maintenance Reboot Initiative, we’re rebuilding Yeoman for the future—stronger, faster, and definitely more secure.
That’s why we’ve rolled out an updated Security Policy to keep our ecosystem locked down tight. If you’re into open source (and we know you are), here’s how you can help keep Yeoman secure.
How to Report a Vulnerability (Without Blowing Up the Internet)
- Found something shady?
- Step 1: Do NOT open a public issue!
- Step 2: Report it privately through GitHub Security Advisory.
- Step 3: Can’t use GitHub? Check the security policy for an alternative option.
Why private? Because public issues can give attackers a head start, and we’re not here for that.
What Happens After?
- You’ll hear from us within few days (we’re fast, but coffee breaks exist).
- We aim to squash confirmed vulnerabilities within 30 days—complex issues might take a bit longer.
- You’ll be looped in throughout the process. Transparency is key.
- Once fixed, we’ll shout out your name (if you want) as a thank-you!
Rewards? Not Yet. Recognition? Absolutely.
No, there’s no bug bounty (for now). But responsible disclosures get you serious street cred in the Yeoman community. We’ll acknowledge your contributions (with your consent) after a fix is out.
Happy hacking 🎩
– The Yeoman Maintainers Team
@UlisesGascon and @JoshuaKGoldberg