Security fixes are applied to the default branch. Releases (and versioned support windows) will be documented here once the project publishes tagged releases.

If you believe you have found a security vulnerability, please do not open a public GitHub issue.

• Preferred (private): use GitHub Security Advisories (Repository → Security → “Report a vulnerability”).
• Fallback (private): open a private maintainer discussion and include “Security report” in the title.

When reporting, please include:

• A description of the issue and potential impact
• Steps to reproduce (proof-of-concept if possible)
• Any relevant logs, screenshots, or stack traces (redact secrets)

• We will acknowledge receipt within 7 days.
• We will work with you to validate the report and determine severity.
• We will coordinate a fix and disclosure timeline with the reporter when appropriate.