Security fixes are provided for the latest release line.

1. Do not disclose vulnerabilities publicly before a fix is available.
2. Open a private security advisory in GitHub for this repository.
3. If private advisory is unavailable, contact maintainers privately and include:
   • affected component
   • impact
   • reproduction steps
   • suggested mitigation (if available)

We will acknowledge valid reports and coordinate remediation and disclosure timing.