Security updates are available for the two latest major versions.
In the event of a security vulnerability in tailwind-merge, a patch release with a fix will be made to all affected latest major versions. I.e. if the two latest major versions of tailwind-merge would be v9.3.4
and v8.10.0
and a security vulnerability would get discovered which affected all versions from v6.0.0
to v9.3.4
, then at least the releases v9.3.5
and v8.10.1
would be made to fix the security vulnerability.
Please report vulnerabilities privately via GitHub at https://github.com/dcastil/tailwind-merge/security.
In case it is not possible to report a vulnerability via GitHub, you can send me an email to [email protected]. However, I might change or disable this email address at any time depending on how much spam I get through it.
You can expect an answer from me within 24 hours most of the time. However, if I'm travelling and don't have good reception, it could take up to a few days. Usually I set my GitHub status to busy when I expect to be unresponsive for more than a day.