If you have found a possible vulnerability, please email security at astral dot sh.
While we sincerely appreciate and encourage reports of suspected security problems, please note that Astral does not currently run any bug bounty programs.
Critical vulnerabilities will be disclosed via GitHub's security advisory system.