All njs security issues should be reported to
Patches are signed using one of the PGP public keys.
in the same way as
nginx.conf and sites certificates.
What this means in practice:
if no js_import
directives are present in