Only the latest release on main is supported. timelines has no runtime third-party Python dependencies — the attack surface is the Python standard library, your CSV input, and (for the web companion) the Pyodide runtime loaded from jsDelivr.

Please report security issues through GitHub:

• Preferred: open a private security advisory
• Alternatively: open a regular issue if the concern is non-sensitive

I'll respond within a few days and credit reporters in the release notes unless anonymity is requested.

• Third-party hosting (GitHub Pages, jsDelivr) — report those to their respective providers.
• Issues that require untrusted local write access to the machine already running the tool.