Security fixes are only provided for the current 3.x line and newer. The last 2.x release is 2.8.5, and no further security patches will be issued for 2.x.

Report security issues by email to me@yogev.dev instead of using public issue tracking. Please include the affected version, a description of the impact, clear reproduction steps, and any proof of concept or logs that help us understand the problem.

We will acknowledge receipt, triage the report privately, and follow up with status updates as needed while we assess and remediate the issue. If a report is accepted, we will coordinate a fix before public disclosure when possible. If a report is declined, we will explain why where appropriate.