Security fixes are provided for the latest released minor version.

Do not report suspected vulnerabilities in a public issue.

Use GitHub private vulnerability reporting to submit a report. Include:

• A description of the vulnerability and its potential impact.
• The affected version, operating system, and Node.js version.
• Reproduction steps or a minimal proof of concept.
• Any known mitigations or workarounds.

Maintainers aim to acknowledge reports within three business days and provide an initial assessment within seven business days. Resolution timelines depend on severity and complexity.

Please allow maintainers reasonable time to investigate and release a fix before public disclosure.