v0.1.0 receives security review once released. Before v0.1.0, unreleased main receives maintainer review for reported vulnerabilities.

Report vulnerabilities through GitHub Private Security Advisories for this repository. Use the repository Security tab and its private vulnerability reporting flow.

Include:

• Affected package version or commit.
• Node.js, npm, and TypeScript versions.
• The command used to reproduce the issue.
• A minimal reproduction when one can be shared safely.
• Expected impact and any known workaround.

Do not disclose vulnerabilities publicly before maintainer coordination is complete.

Repository administrators must enable GitHub private vulnerability reporting outside this implementation when the repository is ready for public reporting.

Use public issues for grammar disagreements, diagnostic wording, TypeScript compiler API compatibility, fixture gaps, and performance reports unless the behavior creates a security impact.