Security fixes are applied to the latest released version.

Please do not open a public issue for suspected vulnerabilities.

Use one of the following:

• Private security advisory (preferred): GitHub Security Advisories
• Private contact: open a private maintainer contact thread

Include:

• affected version
• reproduction steps
• impact assessment
• any suggested remediation

• Initial acknowledgment: within 72 hours
• Triage decision: within 7 days
• Fix timeline: depends on severity and complexity

We follow coordinated disclosure. Please avoid public disclosure until a fix is available and maintainers confirm publication timing.