Please do not disclose security vulnerabilities publicly before maintainers have had a chance to investigate and respond.
To report a vulnerability:
- Open a private security advisory in GitHub (preferred), or
- Contact maintainers directly through repository contact channels
Include:
- affected component(s)
- reproduction steps
- potential impact
- suggested mitigation (if available)
Maintainers will:
- acknowledge receipt
- assess impact and severity
- provide remediation guidance and timeline where possible
Security reports are most relevant for:
- unsafe file handling
- command execution risks
- dependency vulnerabilities
- denial-of-service inputs