Please do not open a public GitHub issue for security vulnerabilities.

Send a private report to the project maintainers via GitHub's private vulnerability reporting (or the contact details in the project README).

Include:

• A description of the vulnerability and its impact
• Steps to reproduce, or a proof-of-concept if possible
• The version affected
• Any suggested fix

You can expect an acknowledgement within a week, and a status update within two weeks. A CVE will be requested for confirmed issues and credited appropriately.