Security fixes are currently applied to the active default branch.
Please do not open public issues for unpatched security vulnerabilities.
Use one of the following:
- GitHub private vulnerability reporting (preferred).
- If private reporting is unavailable, contact the maintainer privately through GitHub and request a secure channel.
Include:
- Affected component/file.
- Reproduction steps or proof of concept.
- Impact and severity estimate.
- Any suggested mitigation.
- Initial triage target: within 3 business days.
- Status update target: within 7 business days.
- Fix timing depends on severity, exploitability, and release risk.
- Never commit API keys or credentials.
- Use Cloudflare environment bindings and
.dev.varsfor local development. - Rotate exposed credentials immediately.