Please report suspected vulnerabilities privately through GitHub Security Advisories:

• Report a vulnerability

Do not open public GitHub issues for active vulnerabilities.

• Affected version or commit SHA
• Reproduction steps or proof-of-concept
• Impact assessment
• Any suggested remediation

• We will acknowledge receipt and triage severity.
• We will coordinate remediation and disclosure timing.
• We will publish fixes and release notes once patches are available.