diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml
index 68726bc..d3847c4 100644
--- a/.github/workflows/chromatic.yml
+++ b/.github/workflows/chromatic.yml
@@ -18,6 +18,9 @@ on:
       - "package-lock.json"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 # Cancel in-progress runs when new commits land on the same ref, so a
 # rapid sequence of pushes doesn't queue multiple snapshot uploads.
 concurrency:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 383b136..08e5c12 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,8 +5,12 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
+    if: github.head_ref != 'changeset-release/main'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index ced6ea4..6591a3d 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "0 6 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index 141825c..4cbb625 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -9,12 +9,14 @@ on:
     - cron: "0 6 * * 1"
 
 permissions:
-  actions: read
   contents: read
-  security-events: write
 
 jobs:
   scan:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de # v2.0.2
     with:
       scan-args: |-
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d1ee028..27e9750 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,12 +8,14 @@ concurrency:
   group: release-${{ github.ref }}
 
 permissions:
-  contents: write
-  pull-requests: write
-  id-token: write
+  contents: read
 
 jobs:
   release:
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index a1f1c52..1ae9b06 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -7,7 +7,9 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
 
 jobs:
   analysis:
diff --git a/.github/workflows/size.yml b/.github/workflows/size.yml
index 80369b2..8bae125 100644
--- a/.github/workflows/size.yml
+++ b/.github/workflows/size.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   size:
     if: github.head_ref != 'changeset-release/main'
diff --git a/.github/workflows/storybook.yml b/.github/workflows/storybook.yml
index b5d47e2..77e460e 100644
--- a/.github/workflows/storybook.yml
+++ b/.github/workflows/storybook.yml
@@ -7,8 +7,6 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: pages
@@ -34,6 +32,9 @@ jobs:
   deploy:
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/LICENSE b/LICENSE
index fc21315..1f56784 100644
--- a/LICENSE
+++ b/LICENSE
@@ -2,4 +2,17 @@ MIT License
 
 Copyright (c) 2026 kirilinsky
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software.
\ No newline at end of file
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software
+and associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute,
+sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/SECURITY.md b/SECURITY.md
index 710704b..2968ff9 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -13,7 +13,9 @@ Security updates are provided for the latest stable release only.
 
 If you discover a security vulnerability, please do not open a public issue.
 
-Please report it privately using GitHub's **Report a vulnerability** feature, if available.
+Please report it privately using GitHub's **Report a vulnerability** flow:
+
+https://github.com/kirilinsky/dateforge-react-calendar/security/advisories/new
 
 Include:
 
@@ -22,8 +24,8 @@ Include:
 - Affected version
 - Possible impact
 
-I will try to acknowledge valid reports ASAP.
+I will try to acknowledge valid reports within 7 days.
 
-If the vulnerability is confirmed, I will work on a fix and publish a security update as soon as reasonably possible.
+If the vulnerability is confirmed, I will work on a fix and publish a security update as soon as reasonably possible. I aim to coordinate public disclosure within 90 days, or sooner if a fix is available and users have had reasonable time to upgrade.
 
 Please allow reasonable time for investigation and fixing before public disclosure.
diff --git a/package-lock.json b/package-lock.json
index d198f36..e0ee06a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@dateforge/react-calendar",
-  "version": "1.5.0",
+  "version": "1.5.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@dateforge/react-calendar",
-      "version": "1.5.0",
+      "version": "1.5.1",
       "license": "MIT",
       "devDependencies": {
         "@arethetypeswrong/cli": "0.18.2",
@@ -4588,9 +4588,9 @@
       }
     },
     "node_modules/brace-expansion": {
-      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
-      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
+      "version": "5.0.6",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
+      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {