Automated audit tools can be useful, but they often report false positives. In large, dependency-heavy projects like jsreport, these reports frequently flag issues that are not exploitable in practice and therefore don’t always provide meaningful, actionable security value.
For this reason, we won’t be releasing jsreport hotfixes on a more frequent schedule.
We take security seriously and run multiple audit scans as part of every release, working to satisfy their requirements. This process already requires significant time and effort, and we don’t plan to extend it beyond our current scope.