The only version of Sparkle that's supported is the latest one. Vulnerabilities in old versions of Sparkle will not get retroactive fixes.

In most cases, you should report vulnerabilities privately via the Security and quality tab in GitHub. Once a release of Sparkle with the vulnerabilities fixed is released, it is okay to discuss them in public.

Reports that were written partially or entirely with LLMs are heavily-discouraged and may be ignored. It's alright if you initially discovered the vulnerability with an LLM, but the actual report and all of its code must be manmade in its entirety.

Note that security problems in the SparkleAddons repository should not be reported here.