phantom-ui is a client-side rendering component with no network calls, authentication, or user input handling, so the attack surface is small. Still, if you find something:

Don't open a public issue. Report privately via GitHub Security Advisories or email frank.refactored@gmail.com.

You'll get a response within 72 hours. Fixes ship as soon as practical, with credit on disclosure unless you'd rather stay anonymous.

Only the latest minor version is supported.