Only the current stable release line receives security fixes. Older releases are best-effort and may not get patches. The stable line is the most recent minor version tagged on this repo (see Releases).

Please do not open public GitHub issues for security vulnerabilities.

Report them privately via GitHub private vulnerability reporting. This is the only supported reporting channel and produces a private thread with the maintainers.

Expect an initial acknowledgement within a few business days. Once the report is confirmed, we will coordinate a fix, a release, and (where appropriate) a security advisory with CVE assignment.

See CONTRIBUTING.md for the corresponding contributor-facing note.