Security fixes are currently accepted for the latest main branch and the most recent tagged release.

Please do not open public issues for suspected security vulnerabilities. Report them by opening a private security advisory on GitHub, or by contacting the maintainers through the security contact listed on the project page.

Include:

• Affected version or commit
• Input sample or reproduction steps, when safe to share
• Expected and observed behavior
• Impact assessment, including whether untrusted input is required

We aim to acknowledge reports within 7 days and will coordinate disclosure timing with the reporter when a fix is required.