Security fixes are applied to the latest main branch state.
Please report vulnerabilities privately by opening a GitHub Security Advisory:
- Go to the repository Security tab.
- Click
Report a vulnerability. - Provide reproduction details, affected scope, and impact.
If GitHub Security Advisories are unavailable, open an issue with minimal details and request a private contact channel.
- Initial triage acknowledgement target: within 3 business days.
- Mitigation plan target: within 7 business days for high-severity issues.
- Public disclosure happens after a fix is available or mitigation guidance is provided.