Security fixes are issued only against the latest released version. Older versions do not receive backported patches — please upgrade before reporting, and confirm the issue still reproduces on the latest release where possible.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Use GitHub's built-in private reporting workflow:
This opens a private draft security advisory visible only to the repository maintainers. You can also reach the same form from the Security tab → Report a vulnerability.
If you cannot use GitHub's private reporting (for example, you don't have a GitHub account), email:
Whichever channel you use, please include as much of the following as you can to help us triage:
- A description of the vulnerability and its potential impact
- Steps to reproduce (proof-of-concept code, if applicable)
- The version(s) of the project affected
- Any known mitigations or workarounds
We aim to:
- Acknowledge reports within 5 business days.
- Provide a fix or mitigation timeline within 30 days.
- Work with you on coordinated disclosure.