The project is maintained on the main branch. Security fixes are expected to land there first.

Do not open a public GitHub issue for an unpatched security vulnerability.

Prefer GitHub's private vulnerability reporting for this repository when it is available.

If private reporting is not available, contact the maintainer privately before public disclosure.

Include:

• A clear description of the issue
• Impact and affected area
• Reproduction steps or proof of concept
• Any proposed mitigation

• We will acknowledge receipt as soon as practical.
• We may ask for clarification or a private reproduction.
• Public disclosure should wait until a fix or mitigation is available.