This project is currently a public beta / v2.4 candidate. Security fixes should target the default branch unless a maintained release branch is created later.
If you find a vulnerability, please avoid posting exploit details in a public issue.
Preferred reporting path:
- Use GitHub private vulnerability reporting if it is enabled for the repository.
- If private reporting is unavailable, open a minimal public issue that says a vulnerability report is available, without including exploit details or sensitive data.
Please include:
- affected file or workflow;
- impact and likely severity;
- reproduction steps using non-sensitive data;
- suggested mitigation, if known.
Relevant issues include:
- instructions that encourage unsafe handling of secrets, credentials, or private data;
- examples that leak sensitive values;
- scripts that perform unexpected network, filesystem, or destructive operations;
- workflows that could publish local caches, generated artifacts, or private files;
- prompts that encourage deceptive UX, dark patterns, or inaccessible steering.
This repository does not currently ship a network service or runtime application.