Security fixes target the current main branch until the project starts publishing versioned releases.

Please do not report security vulnerabilities in a public issue.

Use GitHub's private vulnerability reporting for this repository. If it is not enabled, open a public issue titled security: private disclosure channel needed without vulnerability details so maintainers can provide a private channel.

In the private report, include:

• affected version or commit
• steps to reproduce
• expected impact
• whether the issue is already public or being actively exploited

We will acknowledge reports as soon as practical, investigate privately, and coordinate disclosure after a fix or mitigation is available.