Please disclose any issues responsibly by using the private vulnerability reporting options from GitHub by creating an report in the repo by going to it's 'Security' tab and then to 'Advisories'.
You can also email them to raj.bos+githubSecurity@gmail.com if that works better for you.
I'm happy to have a look into it!