Security updates are provided for the latest release on the default branch.

Please report suspected vulnerabilities privately to the repository maintainers using the repository's private vulnerability reporting feature, if available.

Do not open a public issue for an unpatched vulnerability. Include:

• Affected utility and version.
• Steps to reproduce or a minimal proof of concept.
• Expected and observed behavior.
• Any known impact.
• Whether the issue may expose tokens, plaintext secrets, or encrypted repository metadata.

The maintainers will acknowledge reports as soon as practical and coordinate disclosure after a fix is available.