Please, strongly consider reporting security vulnerabilities privately using the advisories page.

Allow the maintainers up to 30 days to address the vulnerability and make a new release containing the fix before going public with it.

If going public with it after 30 days with the issue still unpatched, opening a public issue referencing the advisory is recommended.