How to report security vulnerability to unmaintained project on GitHub and NPM package?

I’ve found XSS in a popular package, that seems to be not maintained. And it seems the only way to create Security Advisory is by the owner of the repo. So what to do with security vulnerability to unmanned projects?

The ignored issue: Potential Security Vulnerability · Issue #448 · estools/escodegen · GitHub

There’s a github security labs slack workspace. If you’re interested in contributing on an ongoing basis, you could get an account in it.

I’ve sent a link to your issue to it.

You could also try reaching out via: