If you find a security vulnerability in @hyperplexed/bubbles, please report it privately rather than opening a public issue.

Use GitHub's private vulnerability reporting — the "Report a vulnerability" button under the repository's Security tab.

This is a small project maintained as-is in spare time, so I can't promise a response time — but security reports are taken seriously and looked at as soon as I'm able.

Only the latest version published to npm receives fixes. There are no long-term support branches; if a fix ships, it ships in the next release.