Security updates are applied to the latest maintained version on the default branch.

Please report vulnerabilities privately and do not open public issues for security findings.

• Contact: security reports may also be opened through GitHub Security Advisories when enabled

Include the following details when possible:

• Vulnerability type and impact
• Affected components/files
• Reproduction steps or proof of concept
• Suggested remediation (if known)

• Initial acknowledgment: within 3 business days
• Triage and severity assessment: within 7 business days
• Fix timeline: based on severity and complexity

If the report is accepted, maintainers will coordinate disclosure timing and release notes.