Report security vulnerabilities through GitHub's private vulnerability reporting. Do not open a public issue.

A maintainer will acknowledge receipt within seven days and provide an initial assessment within fourteen days.

Security fixes are applied to the main branch. Tagged releases are supported until superseded by a later tag on the same minor line.