Do not open a public GitHub issue for security-sensitive reports.

Use GitHub's private vulnerability reporting for this repository if it is enabled. If private reporting is not available, contact the maintainers out-of-band before disclosing details publicly.

When reporting, include:

• affected component or file
• impact
• reproduction steps
• any proposed mitigation or fix

Security fixes are expected to land on the active default branch.