1.x is deprecated. It contained a front-matter sanitization bypass that was fixed in 2.0.0. Please upgrade.

Please report security issues privately via GitHub Security Advisories. Do not open a public issue for suspected vulnerabilities.

We aim to acknowledge reports within 5 business days and ship a fix or mitigation within 30 days for confirmed issues. Coordinated disclosure timelines can be agreed on a case-by-case basis.

When reporting, please include:

• A description of the issue and its impact.
• Steps to reproduce or a proof-of-concept payload.
• The version (or commit) you tested against.