Security fixes are provided for the latest code on the main branch.

Please do not open public issues for suspected vulnerabilities.

Instead, report privately by contacting the maintainers with:

1. A clear description of the issue
2. Affected package(s) and version/commit
3. Reproduction steps or proof-of-concept
4. Impact assessment (what can an attacker do)
5. Suggested mitigation, if available

If GitHub Security Advisories are enabled for this repository, prefer using private vulnerability reporting there.

Target timeline:

1. Acknowledgement: within 3 business days
2. Initial triage: within 7 business days
3. Remediation plan or workaround: within 14 business days

These are targets and may vary based on severity and complexity.

Please allow maintainers time to investigate and release a fix before public disclosure.