Only the latest published release receives security fixes.
Please do not open a public GitHub issue for security vulnerabilities.
Use GitHub's private vulnerability reporting instead: Report a vulnerability
Include as much detail as possible:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept
- Any suggested mitigations you are aware of
You will receive an acknowledgement within 5 business days. If the report is confirmed, a fix will be released as soon as practical and you will be credited in the release notes (unless you prefer to remain anonymous).