Security fixes are applied to the latest version on main.

Please do not open public issues for security vulnerabilities.

Use one of these private channels:

• Open a private GitHub Security Advisory in this repository.
• If advisories are unavailable, contact the maintainer directly via the email listed on the repository owner profile.

Include:

• Affected component(s)
• Reproduction steps or proof of concept
• Impact assessment
• Any suggested mitigation

• Initial acknowledgement: within 72 hours
• Triage status update: within 7 days
• Fix timeline: depends on severity and complexity

After a fix is available, we may publish a security advisory with:

• Affected versions
• Mitigation steps
• Upgrade guidance