Do not open a public issue for suspected security vulnerabilities.
Use a private GitHub security advisory or contact the maintainers through a private channel before public disclosure.
Include:
- affected area or file
- reproduction steps
- impact assessment
- any suggested remediation
We will validate the report, work on a fix, and coordinate disclosure timing once a patch is available.