Security fixes target the current default branch unless a maintained release branch is explicitly documented.
Do not open a public GitHub issue for a suspected vulnerability.
Use GitHub's private vulnerability reporting flow if it is available for this repository:
- Open the repository on GitHub.
- Go to Security.
- Choose Report a vulnerability.
If private vulnerability reporting is not available, contact a maintainer privately through GitHub and share the minimum details needed to establish a secure reporting channel.
Include:
- Affected files, commands, or integrations.
- A concise impact description.
- Reproduction steps or a proof of concept when safe to share.
- Relevant environment details.
- Whether the issue is already public.
Do not include real secrets, production credentials, private customer data, or exploit steps that are unnecessary to validate the report.
Maintainers will acknowledge valid reports as promptly as practical, investigate impact, and coordinate disclosure timing when a fix is needed.
Security fixes should include tests or verification notes when practical.