We release patches for the latest major.minor version. See our releases page for the current version.

Please report security issues via GitHub Security Advisories ("Report a vulnerability" in the repository Security tab) or e-mail the CODEOWNERS directly.

DO NOT open a public issue for security vulnerabilities.

We will acknowledge receipt of your report and work with you to understand and address the issue.

We use Renovate to automatically keep dependencies up to date. Routine updates are merged only after a 3-day delay ("cool-down") to reduce supply-chain risk from freshly compromised releases. High or critical severity vulnerabilities may be upgraded immediately; feel free to open an issue if urgent remediation is needed or if an automatic PR has not appeared.

• Branch Protection: Required reviews and status checks on main branch
• Dependency Scanning: Automated via Renovate
• Code Review: All changes require maintainer approval
• Workflow Security: Minimal permissions and dangerous pattern prevention

We kindly request you avoid public disclosure until a fix is available. We will coordinate a CVE if appropriate.