Please do not open a public issue for security-sensitive reports.

• Prefer: GitHub Security Advisory (repository → Security → Advisories)
• If advisories are not available, contact the maintainers privately

When reporting, include:

• A clear description of the impact
• Reproduction steps / PoC (if possible)
• Affected versions / commit SHA