Please report vulnerabilities privately first.
Until a dedicated security contact is published, open a private issue or contact the maintainers directly through the project forge account.
Include:
- A clear impact statement.
- Reproduction steps or proof-of-concept.
- Affected version/commit and environment.
Do not open public issues for unpatched vulnerabilities.