We currently only support the latest code on our primary branch. Security fixes are not backported to older commits.

We take the security of our project seriously. If you discover a security vulnerability, please do not open a public issue or pull request. Publicly disclosing a vulnerability exposes the project and its users to exploits before a patch can be issued.

Please report all security vulnerabilities privately via Report new vulnerability

To help us investigate and resolve the issue as quickly as possible, please include the following information:

• A detailed description of the vulnerability and its potential impact.
• Step-by-step instructions to reproduce the issue.
• The specific environment or configuration under which the vulnerability occurs.

Upon receiving a report, we handle the process as follows:

• Response Timeline: We will acknowledge receipt of the report within 3 business days.
• Disclosure Process: Valid vulnerabilities will be investigated and patched privately within a GitHub Security Advisory. We will publicly disclose the details only after a fix is available on the main branch.