If you find a security issue, do not open a public issue with exploit details.

Until a dedicated security contact is added, report the issue privately to an organization owner or repository maintainer. Include a clear description, affected area, reproduction steps, and any suggested mitigation.