Please do not report security vulnerabilities in public issues, pull requests, or discussions.
If you believe you have found a vulnerability, report it privately using GitHub Security Advisories:
- Go to this repository’s Security tab.
- Click Report a vulnerability.
- Include a clear description of the issue, affected versions or commits if known, reproduction steps, impact, and any suggested fix.
We aim to acknowledge new reports within 3 business days. After triage, we will let you know whether the report is accepted, needs more information, or is out of scope.
If accepted, we will coordinate with you through the private advisory until a fix is available. We may ask for additional details, validate the impact, prepare a patch, and publish the advisory once users have a reasonable upgrade path.
If declined, we will explain why, for example if the report is not reproducible, is expected behavior, or does not create a meaningful security impact.
Please give us a reasonable amount of time to investigate and release a fix before disclosing the issue publicly.