SyncIgnore performs filesystem operations, including moving directories, creating symlinks, restoring backups, and validating paths. Security reports are taken seriously.

Security fixes are handled against the current release line.

Please do not open a public issue for a suspected vulnerability.

Report privately by using GitHub private vulnerability reporting if it is enabled for the repository, or contact the maintainers through the security contact listed on the GitHub project.

Include:

• affected version or commit
• operating system
• exact command used
• project layout needed to reproduce
• whether symlinks, backups, or scratch directories were involved
• expected and actual behaviour

Examples of in-scope issues:

• path traversal or escaping project boundaries
• unsafe symlink target handling
• destructive rollback or restore behaviour
• command injection
• leaking sensitive paths through telemetry
• unsafe handling of config or template files

Examples usually out of scope:

• reports that require already having full local user access and no extra impact
• unsupported package manager wrappers
• stale private planning notes under _my_docs/