Security updates are provided for the actively maintained default branch. If this project begins publishing versioned releases, supported release lines will be documented here.
If you believe you have found a security vulnerability, please report it privately instead of opening a public issue.
Use GitHub's private vulnerability reporting feature from the repository's Security tab. If private vulnerability reporting is not available, contact a project maintainer through an established private channel.
Include the following details:
- A clear description of the vulnerability.
- Steps to reproduce the issue.
- The affected endpoint, component, or configuration.
- Any proof of concept, logs, screenshots, or request samples that help verify the issue.
- Your contact information for follow-up questions.
Please do not include sensitive user data, credentials, access tokens, or production secrets in your report.
The maintainers will acknowledge valid reports as soon as possible, typically within 3 business days. After acknowledgement, we will investigate the issue, assess impact and severity, and coordinate a fix.
When a vulnerability is confirmed, we will:
- Prioritize remediation based on severity and exposure.
- Prepare and test a fix.
- Release the fix through the appropriate branch, deployment, or release process.
- Publicly disclose details only after users have had a reasonable opportunity to update or the risk has otherwise been mitigated.
We ask reporters to act in good faith by avoiding privacy violations, data destruction, service disruption, and unauthorized access beyond what is necessary to demonstrate the vulnerability. Please allow the maintainers time to investigate and resolve the issue before public disclosure.