Please do not open public GitHub issues for security vulnerabilities.
Instead:
- Gather the affected area, impact, and reproduction details.
- Contact the maintainers privately or use GitHub private vulnerability reporting if it is enabled for this repository.
- Give the maintainers time to validate and coordinate a fix before public disclosure.
Security reports are especially relevant for:
- auth and session flows
- API input validation
- secret handling and environment variables
- file upload or email utilities
- access control for gated resources
- Never commit live
.envfiles or service-account credentials. - Use
.env.exampleand sanitized examples instead. - Rotate any secrets that were ever exposed outside trusted environments.