Please do not open a public issue for security-sensitive problems.

Instead:

1. Use GitHub private vulnerability reporting if it is enabled for the repository.
2. If private reporting is not available, contact the maintainer through GitHub and include enough detail to reproduce the issue safely.

When reporting a vulnerability, include:

• affected component or file
• impact and attack surface
• reproduction steps
• suggested mitigation, if you have one

• Do not post secrets, tokens, or private documents.
• Do not include real customer or personal data.
• Use sanitized examples where possible.

Reports will be triaged as quickly as possible. Fix timing depends on severity, exploitability, and maintainer availability.