If you discover a security vulnerability in picmin, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email the maintainer directly or use GitHub's private vulnerability reporting
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Initial response: Within 48 hours
• Status update: Within 7 days
• Fix release: Depends on severity
  • Critical: Within 24-48 hours
  • High: Within 7 days
  • Medium/Low: Next regular release

When using picmin:

1. Keep updated: Always use the latest version
2. Validate inputs: Ensure image sources are trusted
3. Check outputs: Verify compressed files before distribution
4. Use in isolation: Consider running in containers for untrusted inputs

picmin relies on these dependencies which have their own security policies:

• sharp - Image processing
• svgo - SVG optimization
• commander - CLI framework
• glob - File matching

We actively monitor for vulnerabilities in our dependencies using npm audit.