Security

SECURITY.md

Security Policy

Supported versions

Security fixes are applied to the latest state of the default branch.

Reporting a vulnerability

Do not open public GitHub issues for security-sensitive problems.

Report vulnerabilities privately to the maintainers with:

a clear description of the issue
affected files or code paths
reproduction steps
expected impact

If package execution, privilege escalation, or remote catalog handling is involved, include that context explicitly.

Response expectations

Initial triage: best effort
Fix timeline: depends on severity and maintainer availability
Public disclosure: after a fix is available or the risk is otherwise mitigated

There aren't any published security advisories