Please report security vulnerabilities through GitHub's private vulnerability reporting:

Report a vulnerability

Do not open a public issue for security vulnerabilities.

• Vulnerabilities in package source code
• Dependency vulnerabilities that affect consumers
• Build or publish pipeline security issues

We aim to acknowledge reports within 48 hours and provide a fix or mitigation plan within 7 days.

Only the latest published version of each package is supported. We do not backport fixes to older major versions.