The project currently supports security fixes on:

• the latest main branch

Older branches and historical commits should not be assumed to receive security patches.

• Do not open a public GitHub issue for an undisclosed security vulnerability.
• Use GitHub private vulnerability reporting if it is available for this repository.
• If private reporting is not available, contact a maintainer privately through GitHub before public disclosure.

Please include:

• a short description of the issue
• affected files, endpoints, or flows
• reproduction steps or a proof of concept
• impact assessment
• any suggested mitigation

Maintainers will try to:

• acknowledge the report promptly
• validate the issue
• prepare a fix or mitigation
• coordinate responsible disclosure when needed