Please do not open public issues for security reports.

Instead, report privately to the repository maintainers with:

• a description of the issue and potential impact
• minimal reproduction steps
• affected versions/commit (if known)

We will acknowledge receipt and coordinate a fix and disclosure timeline.