Only the latest minor release receives security updates while the package
sits on the 0.x line. Once we ship 1.0, the previous minor will continue
to receive critical patches for six months.
Please do not open a public GitHub issue for security problems. Instead,
report them privately to the maintainer email listed in package.json.
When reporting, include:
- A clear description of the issue and its impact.
- Steps to reproduce, ideally with a minimal repository or snippet.
- Affected versions of
onboarding-toolsand React. - Any suggested mitigation.
We will acknowledge your report within 72 hours, agree on a disclosure timeline, and credit you in the release notes unless you prefer to remain anonymous.