If you have found a security issue in this project, please report it privately to [email protected] rather than opening a public GitHub issue. Include a clear description of the problem, steps to reproduce it, the commit SHA you tested against, and any proof-of-concept code or output so I can triage it quickly.
I respond to every report within 7 days. Confirmed issues are patched on main and released as a tagged version, and reporters are credited in the release notes unless they ask to remain anonymous. This policy covers the code in this repository only. Vulnerabilities in upstream dependencies or third-party services should be reported to those projects directly.
Security fixes land on the latest minor release. Pin to a tagged release if you need a stable version surface.
| Version | Supported |
|---|---|
| 1.1.x | yes |
| 1.0.x | no |
| < 1.0 | no |