Please do not open a public issue for suspected security vulnerabilities.
Email the maintainer at security@samlaycock.dev with:
- A description of the vulnerability and impact.
- Reproduction steps or proof of concept.
- Affected versions or commit SHAs.
- Any relevant platform details.
You should receive an initial response within 7 days. If the report is accepted, we will coordinate a fix and disclosure timeline before publishing details.
Before the first stable release, security fixes target the latest published version and the default branch.