Skip to content

Security: http4s/http4s-fabric

Security

SECURITY.md

Security Policy

Supported Versions

We are currently providing security updates to the following http4s core versions:

Version Supported
0.21.x
0.20.x
0.19.x
0.18.x
< 0.18

For other repos in the http4s org on different release cycles, see their documentation.

Reporting a Vulnerability

We will use keybase as the vehicle for reporting security issues as that gives us a forum to discuss, analyze, and remediate the threat before an exploit is published. Responsible disclosure enhances security for the entire community.

If the issue is deemed a vulnerability, we will release a patch version of our software and make sure that finds it way to Maven Central before we push the patch to github. After the patch is available on Maven Central, we will also provide a security advisory through github. As with every release, the source jars are published to maven central at the same time as the binaries.

We strongly recommend users of our libraries to use Scala Steward or something similar to automatically receive updates.

Security Maintainer list:

name github keybase
Ross A. Baker @rossabaker @rossabaker
Christopher Davenport @christopherdavenport @davenpcm
Erlend Hamnaberg @hamnis @hamnis

There aren’t any published security advisories