Security fixes are applied to the latest code on main.
Do not report vulnerabilities in public issues.
Use the repository hosting platform's private vulnerability reporting feature if it is enabled. If no private security channel is published yet, contact the maintainers through a private channel listed on the repository profile before sharing details.
Include:
- affected version or commit
- operating system and environment
- reproduction steps or proof of concept
- impact assessment
Reports should avoid including live credentials unless strictly necessary. If credentials are required to explain impact, redact them first.