Purpose: Provide a clear, private process for reporting vulnerabilities.

Please do not open public issues for security reports.

• Contact: TBD_UNVT_SECURITY_CONTACT
• If you have a suggested fix, include details and any relevant patches.

• Acknowledgement: within 3 business days.
• Initial assessment: within 7 business days.
• Fix or mitigation plan: within 30 days.

We support the latest released version only.

1. Report privately.
2. Maintainers verify and prepare a fix.
3. Release and publish a security note in CHANGELOG.md.

• This tool operates locally on user-provided files and does not provide a network service.
• Dependency updates are handled via regular maintenance and automated tooling (e.g. Renovate).