Do not open a public issue. Instead, report security vulnerabilities privately:

1. GitHub Security Advisory — Go to Security Advisories and create a new draft advisory.
2. Or email: faisalaffan.dev@gmail.com

You should receive a response within 48 hours. We take all security reports seriously.

• Reporter will be acknowledged (unless they prefer anonymity).
• Fix will be released as a patch version.
• Public advisory will be published after the fix is released.