Please do not open a public GitHub issue for security reports.
Instead, use one of these options:
- GitHub — On this repository, open Security → Report a vulnerability to submit a private advisory.
- Email — If that is unavailable, use a contact method the maintainers list on their GitHub profile or organization page.
Include enough detail to reproduce or understand the risk (versions, configuration, impact). We aim to acknowledge reports within a few business days.
Security fixes are applied to the default branch (main) unless otherwise noted. Use the latest release or main for production-like deployments.
Please allow reasonable time for a fix before public disclosure, unless the issue is already actively exploited or widely known.