Report security vulnerabilities through GitHub's private vulnerability reporting. Do not open a public issue.

A maintainer will acknowledge receipt within seven days and provide an initial assessment within fourteen days.

Security fixes are applied to the latest published minor version. Older versions receive security backports on a case-by-case basis.