Please do not create public GitHub issues for security vulnerabilities.
Instead, use GitHub Security Advisories to report privately:
- Go to the repository Security tab and click "Report a vulnerability".
If Security Advisories are not available, you can also contact the maintainers by opening a minimal issue asking to initiate a private security report. Do not include exploit details publicly.
We aim to acknowledge reports within 5 business days and will work with you to validate and address the issue.
We support the latest released minor version and apply critical fixes to the most recent patch releases as needed.
We follow responsible disclosure practices. Once a fix is available, we will coordinate a public advisory and release notes in CHANGELOG.md.