Please report security issues privately — do not open a public issue.

Use the "Report a vulnerability" button on the Security tab of the affected repository. Private vulnerability reporting is enabled on all public repositories.

Include the affected version/commit, reproduction steps, and impact. You'll get an acknowledgement within a few days, followed by a coordinated fix and disclosure.

Only the latest released version of each library is supported. Pre-1.0 (0.x) releases may contain breaking changes between minor versions.