Semantic UI Next is in active pre-release development (currently pre-1.0). Security practices will be tightened as the project approaches its 1.0 release. While we take security seriously at every stage, the API surface and internal architecture are still evolving.
During the pre-release period, only the latest published version receives security fixes. Older pre-release versions will not be patched.
If you discover a security vulnerability, please report it privately via email:
Please include:
- A description of the vulnerability
- Steps to reproduce or a proof of concept
- The affected package(s) and version(s)
Do not open a public GitHub issue for security vulnerabilities.
We will acknowledge your report promptly and work to address confirmed vulnerabilities quickly. We ask that you allow us reasonable time to investigate and release a fix before disclosing publicly.
The following are in scope:
- All packages published under the
@semantic-uinpm scope - The framework core (
packages/) - First-party components (
src/)
The following are out of scope:
- The documentation website
- Third-party dependencies (please report these to the relevant maintainer)
- Issues that require physical access or social engineering
We're happy to credit reporters in release notes unless you prefer to remain anonymous. Let us know your preference when reporting.