Do not report security-sensitive issues in public threads until an owner has provided a private contact path.
Current RC1 status:
- no public vulnerability intake address is configured
- no npm or VS Marketplace publishing channel is active
- supported installs are local-source installs
Owners should add a private reporting address before public distribution.