Please do not open public issues for security vulnerabilities.

Report vulnerabilities through GitHub private vulnerability reporting for this repository. If private reporting is unavailable, open an issue marked "security" with no exploit details and ask maintainers for a private channel.

• A clear description of the issue
• Steps to reproduce
• Affected browser and platform
• Potential impact
• Any proof-of-concept details needed for verification

• Initial triage response target: 5 business days
• Status updates during investigation
• Coordinated disclosure after a fix is available

This is a static, browser-only application. Main risk areas are dependency vulnerabilities, supply-chain risk, and malicious script injection in deployment configuration.