Security fixes are applied on a best-effort basis to:
main- the latest stable release tag
Pre-release tags may receive fixes when practical, but they should not be treated as long-term supported releases.
- Use GitHub private vulnerability reporting from the repository Security tab whenever possible.
- Do not open public issues, pull requests, or discussions for security vulnerabilities.
- Include the affected area, impact, reproduction details, and any suggested remediation if you have it.
Repository security page:
If private vulnerability reporting is unavailable for any reason, contact the maintainer through GitHub directly and keep the report non-public.
- Initial acknowledgement target: within 5 business days
- Follow-up: status updates as triage and remediation progress
- Disclosure: coordinated disclosure after a fix is available or mitigation guidance is ready
General usage questions, feature requests, and non-security bugs should go through the normal support and issue channels described in SUPPORT.md.