Security fixes are applied to main and to the latest published release once
release tags are in active use.
Use GitHub private vulnerability reporting for this repository when possible:
Please do not open a public issue for a potential vulnerability before the maintainers have had a chance to assess it.
Include as much of the following as you can:
- affected command, subsystem, or workflow
- reproduction steps
- impact and expected severity
- logs, artifacts, or screenshots if they help explain the issue
- any suggested mitigation or fix direction
You should expect an acknowledgement, a triage decision, and then either a fix, a mitigation, or a request for more detail.