Please do not open a public issue for a suspected security vulnerability.
Use GitHub private vulnerability reporting to send the maintainers:
- A description of the vulnerability and its impact
- A minimal reproduction or proof of concept
- Affected versions or commits, if known
- Any suggested mitigation
Do not include real credentials, customer data, or other sensitive information in a report. Use synthetic test data and revoke any credential that may have been exposed.
The maintainers will investigate the report and coordinate disclosure after a fix or mitigation is available. Please keep vulnerability details private until that process is complete.
Security fixes target the latest release and the current default branch. Older releases may not receive patches.