Please do not report security vulnerabilities in public issues.

Use GitHub's private vulnerability reporting when it is enabled for the repository. If it is not available, use the contact information listed on the repository owner profile.

Include:

• affected repository and version or commit
• steps to reproduce
• expected impact
• any temporary workaround you know

Reports are reviewed as time allows. Public disclosure should wait until there is a fix or a reasonable mitigation path.