Security fixes target the latest immutable release and the main branch.
Report vulnerabilities with GitHub private vulnerability reporting at https://github.com/zac343/csv-guard-action/security/advisories/new. Include a minimal synthetic reproduction, affected runtime, impact, and suggested mitigation. Do not open a public issue before a fix is available.
Never submit a private CSV, real customer rows, credentials, tokens, personal data, or proprietary data. The Action accepts no token, makes no network calls, writes no CSV data, and emits only aggregate counts and the workspace-relative path.