Please report security vulnerabilities through GitHub's private vulnerability reporting.

Do not file a public issue for security vulnerabilities.

You should receive a response within 72 hours. If the vulnerability is confirmed, a fix will be released as soon as practical, and you will be credited in the release notes (unless you prefer to remain anonymous).