If you find a security bug (in this library or its dependencies), open a security advisory. This ensures the library can be updated before making this public, allowing users to update in that moment.
The response time may vary depending on availability. If the issue is confirmed:
- If the vulnerability is confirmed (a user can be negativelly affected): will be solved as soon as possible, and the advisory and the upgrade will be made public at the same time.
- If the bug exists but no user can be affected, the issue will be made public and added to the normal TODO queue list.