Security fixes are provided for the latest state of the default branch.

Please report security issues privately by opening a private security advisory or by contacting the maintainers directly with:

• A clear description of the issue and impact
• Reproduction steps or proof of concept
• Any suggested remediation

Do not open public issues for unpatched vulnerabilities.

Initial triage is targeted within 5 business days. If the report is valid, a fix or mitigation plan will be prepared and released as quickly as practical.