Security fixes are expected to land in:

• the latest released version
• the main branch

Older versions may not receive fixes.

Do not open a public GitHub issue for undisclosed vulnerabilities.

Use GitHub's private vulnerability reporting for this repository if it is enabled. If private reporting is not available, contact the maintainer directly before sharing details publicly.

Please include:

• a clear description of the issue
• impact and affected environments
• reproduction steps or a proof of concept
• any suggested mitigation, if known

You should receive an acknowledgement after the report is reviewed.