If you discover a vulnerability within this project, please open an issue and label it with the security tag. The issue board is checked at least 2-3 times a week, so you should expect a response to your issue within a few days.

If a PR is submitted along with the issue to resolve the vulnerability, you can expect it to be reviewed within the same time frame as issue responses. If a PR is not submitted, the time it takes to develop a fix will differ depending on the severity of the vulnerability.

Vulnerabilities to dependencies will be updated as soon as a fix is available and an update will be pushed out.

Any vulnerable dev dependencies will be updated when/if possible- though a new release of eslint-plugin-drupal-contrib may not be pushed out right away.