Security fixes are applied to the latest code on main.
Do not report vulnerabilities in public issues.
Use the repository hosting platform's private vulnerability reporting feature if it is enabled. If no private security channel is published yet, contact the maintainers through a private channel listed on the repository profile before sharing details.
Include:
- affected manifest or commit
- affected platform and provider
- reproduction steps
- expected and actual behavior
- impact assessment
Reports should avoid including live credentials unless strictly necessary. If credentials are required to explain impact, redact them first.