Security fixes are prioritized for the latest release on the default branch.
If you are running an older release, upgrade to the latest version before reporting runtime behavior as a security issue.
Please do not open public GitHub issues for suspected vulnerabilities.
Use one of these private channels instead:
- GitHub Security Advisories for this repository (
Securitytab ->Report a vulnerability) - If private reporting is unavailable, open a maintainer contact issue that contains no exploit details and asks for a private follow-up channel
Include:
- Affected version/commit
- Impact summary
- Reproduction steps or proof of concept
- Suggested mitigation if available
- Initial triage target: within 3 business days
- Status updates: at least weekly for confirmed issues
- Remediation and release timing depends on severity and exploitability
Never commit real credentials, tokens, private keys, or production environment values.
Use local .env.local files and keychain/secret-store references. Commit only example templates such as .env.example files with empty or placeholder values.