attrs/.github/SECURITY.md

947 B

Security Policy

Supported Versions

We are following Calendar Versioning with generous backwards-compatibility guarantees. Therefore we only support the latest version.

Put simply, you shouldn't ever be afraid to upgrade as long as you're only using our public APIs. Whenever there is a need to break compatibility, it is announced in the changelog, and raises a DeprecationWarning for a year (if possible) before it's finally really broken.

[!WARNING] The structure of the attrs.Attribute class is exempt from this rule. It will change in the future, but since it should be considered read-only, that shouldn't matter.

However if you intend to build extensions on top of attrs you have to anticipate that.

Reporting a Vulnerability

To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.