The latest published 0.x release receives security fixes.

Please report security issues privately rather than opening a public issue.

• Use GitHub's private vulnerability reporting, or
• Email sebastian@0a.cl with the details.

Include a description, a reproduction, and the impact. You can expect an initial response within a few days. Once a fix is released, we are happy to credit you in the advisory unless you prefer to remain anonymous.

tool-schema has zero runtime dependencies and performs only in-memory data transformation: it does not make network requests, read or write files, or execute code from its input. The most relevant risks are denial of service from pathological input (for example, deeply nested or cyclic schemas). Reports along those lines are welcome.