Only the latest release receives security fixes. Always upgrade to the most recent version.

Do not open a public GitHub issue for security vulnerabilities.

Instead, report them through GitHub's private vulnerability reporting.

• A description of the vulnerability
• Steps to reproduce
• The potential impact
• A suggested fix, if you have one

• 48 hours — Acknowledgment of your report
• 30 days — Patch or mitigation released (sooner when possible)

Once a fix is released, we will credit the reporter in the release notes unless they prefer to remain anonymous.