Security fixes are handled on the default branch. Until the project has tagged releases, only main is considered supported.
Do not open a public issue for suspected vulnerabilities.
Use GitHub's private vulnerability reporting for this repository:
If the advisory form is unavailable, use the repository's security contact email shown in the repository metadata once configured.
Please include:
- affected commit or version
- vulnerable component or endpoint
- reproduction steps
- expected impact
- any known mitigations
We will acknowledge valid reports as soon as practical, prioritize fixes based on severity and exploitability, and publish coordinated disclosure notes when a fix is available.