only the latest release receives security fixes.

settings, canvas state, and exported svg text stay in the browser.

google sign-in uses supabase auth. the client uses the public supabase anon key and pkce flow.

do not open a public issue for a security problem.

open a private security advisory in github.