Security fixes are applied to the latest development branch and the latest tagged release series.

Do not open a public issue for security-sensitive reports.

Instead:

1. Use GitHub private vulnerability reporting for this repository if it is enabled.
2. If private reporting is unavailable, contact the repository maintainers directly.
3. Include reproduction steps, affected version or commit, impact, and any suggested mitigation.

You can expect an initial response within 5 business days. After triage, maintainers will coordinate a fix, disclosure timing, and release notes.