Security updates are applied to the latest minor within the current major version. Critical fixes may be backported to the previous minor when practical (see Support Policy).

Please do not open a public issue for security vulnerabilities.

To report a vulnerability:

1. Email the maintainers or open a private security advisory on GitHub if the repo supports it.
2. Include a clear description, steps to reproduce, and impact.
3. Allow reasonable time for a fix before any public disclosure.

We will acknowledge receipt and aim to respond with next steps promptly.