The latest version is the only supported. When a security issue is found, it is corrected and a new patch version is published. The patch is only applied on the latest version.
Addventa, a company specialized in NLG and based in Paris provides commercial support on RosaeNLG, and can support defined versions in the long term.
- Most detected security issues come from third party libraries used in RosaeNLG. These libraries are followed up using Snyk.
- Sonar detects issues in RosaeNLG code itself, see public Sonar dashboard.
Security issues should be reported through GitHub issue tracker. Use the "security" label.
Vulnerabilities that must remain private can be reported directly to the author: contact [at] rosaenlg [dot] org
Resolution timeframe depends on the severity and the complexity of the issue. Usually, a new version containing third party dependencies fixes is published at least every month.
Also, feel free to submit PR correcting security issues.