We release security fixes for the actively maintained ReactPress 3.x line. Older major versions (2.x and below) no longer receive security updates unless noted in a release announcement.
| Version | Supported |
|---|---|
| 3.x | ✅ |
| 2.x | ❌ |
| < 2.0 | ❌ |
Install the latest stable release:
npm i -g @fecommunity/reactpress@latestPlease do not report security vulnerabilities through public GitHub Issues.
If you discover a security issue, report it privately so we can investigate and ship a fix before details are public:
- Preferred: Open a private security advisory on GitHub (Repository → Security → Report a vulnerability).
- Alternative: Email the maintainers via a GitHub issue titled
Security report (private details)and ask to move the conversation to a private channel — do not include exploit steps or sensitive data in the initial public comment.
Include as much of the following as you can:
- Affected component (CLI, API/server, client, toolkit, theme)
- ReactPress / npm package version
- Steps to reproduce (proof of concept if available)
- Impact assessment (data exposure, privilege escalation, RCE, etc.)
- Suggested remediation, if you have one
| Timeline | Action |
|---|---|
| Within 72 hours | Acknowledgement of your report |
| Within 7 days | Initial assessment and severity classification |
| Ongoing | Status updates until resolved |
| After fix | Coordinated disclosure and credit in release notes (if desired) |
We appreciate responsible disclosure. Valid reports may be credited in CHANGELOG.md unless you prefer to remain anonymous.
When self-hosting ReactPress:
- Keep Node.js, dependencies, and
@fecommunity/reactpressup to date - Use strong database credentials; do not commit
.envfiles - Terminate TLS at your reverse proxy (see
reactpress nginxin the CLI) - Restrict admin/API access in production networks where possible
- Rotate API keys and webhook secrets periodically
For general bugs and feature requests (non-security), use GitHub Issues.