Security fixes are handled on the repository's default branch.
Do not publish exploit details, credentials, tokens, or private data in a public issue.
If this repository shows GitHub's Report a vulnerability button, use that flow so the report stays private. If private vulnerability reporting is unavailable, open a minimal issue asking for a private contact channel and leave sensitive details out of the issue body.
Active Node projects use npm audit in CI and Dependabot configuration where applicable. Dependency updates and security fixes should keep the lockfile committed with the related change.
These repositories are personal, coursework, or portfolio projects. They do not provide a production support SLA, but security reports will be reviewed as practical.