Please use GitHub Security Advisories private reporting:

1. Open the repository Security tab.
2. Click Report a vulnerability.
3. Submit a private advisory with reproduction details and impact.

Do not report security vulnerabilities in public issues, discussions, or pull requests.

• A clear description of the vulnerability
• Affected versions/commit ranges (if known)
• Reproduction steps or proof-of-concept
• Potential impact
• Suggested mitigation (optional)

• Initial triage target: within 5 business days
• Follow-up status updates: as fixes are validated
• Coordinated disclosure: after a fix or mitigation is available

Security fixes are prioritized for the latest released major line.