Security fixes are applied to the current main branch.

Please do not open public issues for security vulnerabilities.

Use GitHub private vulnerability reporting:

• Security tab in this repository
• Report a vulnerability

Include:

• Affected version/commit
• Reproduction steps
• Impact assessment
• Suggested mitigation (if known)

• Initial triage target: within 7 days
• Status updates provided as work progresses
• Coordinated disclosure preferred after a fix is available