Quoll is distributed through the VS Code Marketplace and Open VSX. Security fixes are shipped only in a new published release, and only the latest published version is supported.
| Version | Supported |
|---|---|
Latest published 0.1.x |
✅ |
| Any older version | ❌ (upgrade first) |
If you are affected, update to the latest release before reporting — the fix may already be published.
Please report security issues privately. Do not open a public issue, pull request, or discussion for anything security-sensitive.
Use GitHub's private vulnerability reporting for this repository:
- Go to the Security tab of https://github.com/mtskf/quoll.
- Choose Report a vulnerability.
- Include a description, the affected version, reproduction steps, and the impact you observed.
This routes the report privately to the maintainer and lets us coordinate a fix and disclosure with you.
- Acknowledgement: within 7 days of your report.
- Assessment: an initial severity assessment and next steps within 14 days.
- Fix & disclosure: for confirmed issues, a fix is published in a new release and the advisory is disclosed once users have had a reasonable window to update.
We will keep you informed of progress and credit you in the advisory unless you ask us not to.
This policy covers the published Quoll extension (VS Code Marketplace / Open VSX) at the latest release.
Unpublished, development, or self-built artifacts (a local pnpm build, an
unreleased branch, a manually built .vsix) are not supported — unless the
same defect also affects a published release, in which case report it as above
and note that it reproduces on the release.