Security fixes are prioritized for:
- the latest published release
- the current
developbranch
Older releases may not receive backported fixes.
Releases are published by merging develop into main and creating a tag from main.
Please do not open public GitHub issues for security vulnerabilities.
Use GitHub's private vulnerability reporting flow if it is enabled for this repository. If private reporting is not available in the repository UI, contact the maintainers directly through GitHub before any public disclosure.
Include the following in your report when possible:
- affected package and version
- impact and attack surface
- reproduction steps or proof of concept
- any known mitigation or workaround
Valid reports will be acknowledged, investigated privately, and addressed in a release or advisory when a fix is available.