Do not open public GitHub issues for security-sensitive reports.

Preferred path:

• Use GitHub Security Advisories or the repository's private vulnerability reporting flow.

If private reporting is unavailable, contact the package maintainers through the publisher contact associated with the repository and npm package.

Please include:

• A clear description of the issue.
• Impact and affected surfaces.
• Reproduction steps or a minimal proof of concept.
• Any suggested mitigations.

Maintainers will aim to acknowledge valid reports promptly, assess impact, and coordinate a fix before public disclosure when feasible.