Only the latest stable release receives security fixes.

Please do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private Report a vulnerability feature. You will receive a response within 7 days, and a fix will be released as soon as possible depending on severity.

• SBOM — a Software Bill of Materials in CycloneDX format (JSON and XML) is attached to every release as sbom.cyclonedx.json / sbom.cyclonedx.xml.
• License report — a full dependency license inventory (licenses.csv / licenses.md) is also attached to every release.
• Trusted Publishing — packages are published to PyPI via OIDC Trusted Publishing, without storing long-lived API tokens.