Please do not open a public issue for security reports.

Use GitHub's private vulnerability reporting for this repository when it is enabled. If private reporting is unavailable, contact the maintainer privately through GitHub before disclosing details publicly.

Include:

1. A clear description of the issue and impact
2. Steps to reproduce or a proof of concept
3. The affected commit SHA or release tag
4. Any suggested remediation or mitigation