Security fixes are applied to the main branch.
If you believe you’ve found a security vulnerability:
- Do not open a public issue with exploit details.
- Prefer opening a private security advisory on the repository (if enabled).
- If that’s not available, open a minimal public issue that says "security report" without sensitive details.
What to include:
- A clear description of the issue
- Steps to reproduce
- Impact assessment (what an attacker can do)
- Any relevant logs (with secrets removed)
We’ll aim to acknowledge within a few days and provide a fix or mitigation as quickly as practical.