Security fixes are applied to the latest release line.
| Version | Supported |
|---|---|
| latest | yes |
| older versions | no |
Please do not disclose vulnerabilities in public issues.
Use one of these private channels:
- GitHub Security Advisories (preferred):
- Go to the Security tab in this repository.
- Click "Report a vulnerability".
- If Security Advisories are unavailable, contact maintainers privately and include
[SECURITY]in the subject.
Please include:
- affected component(s) and versions
- reproduction steps or proof of concept
- impact assessment (confidentiality/integrity/availability)
- suggested remediation (if known)
- Initial acknowledgement: within 3 business days
- Triage and severity classification: within 7 business days
- Remediation plan or mitigation guidance: as soon as practical based on severity
- We validate and reproduce the issue.
- We prepare and test a fix.
- We publish a patched release and advisory.
- We credit reporters unless anonymous disclosure is requested.