Security fixes are developed on the active master branch and shipped as tagged
releases (vX.Y.Z) via the Release Please pipeline.
Pinboard tracks currently supported PHP branches, matching composer.json
(php: >=8.4) and the CI test matrix. As of 2026-07-02, the active matrix is:
PHP 8.4PHP 8.5
Older end-of-life PHP branches are not supported for security maintenance.
Pinboard reads data from a Pinba storage engine (XOlegator/pinba_engine); vulnerabilities in the engine or in the Pinba PHP extension should be reported to those projects.
Please do not open a public issue for a suspected security vulnerability.
Report it privately via GitHub's private vulnerability reporting, or by email to:
- Oleg Ekhlakov o.ekhlakov@protonmail.com
Include, when possible:
- affected Pinboard version or commit;
- affected PHP version;
- reproduction steps;
- whether the issue impacts confidentiality, integrity, availability, or data correctness;
- whether the issue is authenticated-only or reachable pre-authentication.
- Acknowledgement target: reasonable best effort.
- Fixes should preserve the existing public contract unless a breaking security mitigation is unavoidable.
- Public release notes are published after a fix is prepared or released.