Please do not open a public issue for security vulnerabilities.

Instead, report them privately through GitHub's Report a vulnerability flow. This creates a private advisory that only the maintainers can see.

You can expect an initial response within 30 days.