Security fixes are applied to the latest release line and to main while the next release is being prepared. Older release lines are not maintained unless a support policy is announced with that release.
Please do not disclose a suspected vulnerability in a public issue, discussion, or pull request.
Use Report a vulnerability on the repository's Security tab when private vulnerability reporting is available. If that option is unavailable, contact the maintainer privately using a contact method listed on the maintainer's GitHub profile.
Include the affected version or commit, impact, reproduction steps or a proof of concept, and any known mitigations. You should receive an acknowledgement before any public disclosure; timing for a fix and coordinated disclosure will depend on severity and reproducibility.