Security fixes are applied to the latest state of the default branch.
Please report vulnerabilities privately.
Preferred channel:
- GitHub Security Advisory (private vulnerability report)
If GitHub Security Advisories are unavailable, contact the maintainers through the repository owner contact listed on GitHub.
When reporting, include:
- Affected component(s)
- Reproduction steps / proof of concept
- Impact assessment
- Suggested remediation (if known)
The maintainers aim to:
- Acknowledge receipt promptly
- Reproduce and assess impact
- Provide status updates during triage
- Release a fix and coordinated disclosure when ready
Please avoid public disclosure until a fix is available and users have had reasonable time to upgrade.