The latest minor release of the package receives security fixes. Older releases should upgrade — the package follows semantic versioning, so upgrades within a major version are non-breaking.

Please do not open a public GitHub issue for security problems.

Report vulnerabilities privately via GitHub Security Advisories.

You can expect an initial response within a few business days. Once a fix is released, we credit reporters in the release notes unless you prefer otherwise.