If you've found a vulnerability, do not create a public issue, or a pull request with the fix. Disclosing a security issue before a fix is released may put users at risk.
Instead, email can@relic.so directly to report and/or fix the vulnerability in private.