Security fixes are evaluated against the current main branch and the latest public release. Older snapshots may receive a fix only when the affected code is still present in the current release line.

Do not open a public issue with exploit details, credentials, provider tokens, local transcripts, or account identifiers.

Use GitHub private vulnerability reporting for this repository when it is available. If private reporting is not available, open a minimal public issue asking for a secure maintainer contact path and do not include technical exploit details.

Helpful reports include:

• Affected version or commit.
• A concise description of the vulnerable behavior.
• Reproduction steps using placeholders instead of real credentials.
• Expected impact and any known mitigations.

Maintainers will acknowledge valid reports, triage severity, prepare a fix on a restricted branch when appropriate, and publish public details after a release or mitigation is available.