Security fixes are handled on the default branch and released in the next affected package release.

Please do not open a public issue for a suspected vulnerability.

Report security issues through GitHub's private vulnerability reporting for this repository if available. If that is not available, open a minimal GitHub issue asking for a private security contact without disclosing technical details.

Include:

• affected package and version;
• a concise description of the issue;
• reproduction steps or proof of concept, if safe to share privately;
• any known impact or mitigation.

We will acknowledge reports as soon as practical and coordinate disclosure before publishing details.