Security fixes are applied on a best-effort basis to:
- latest
mainbranch - latest tagged release line
Older tags may not receive backported fixes.
Please report vulnerabilities privately. Do not open a public GitHub issue for sensitive details.
Preferred path:
- Use GitHub private vulnerability reporting for this repository (Security Advisories).
- Include:
- affected version/commit
- impact and attack scenario
- reproduction steps or proof of concept
- any suggested remediation
You can expect:
- acknowledgment after triage
- coordinated remediation plan
- disclosure timing aligned with fix availability
After a fix is available, maintainers may publish:
- affected versions
- mitigation guidance
- fixed version/commit references