The 1.x release line is supported. Older major versions are unsupported unless
a release-specific notice states otherwise. See the
compatibility policy for runtime support.
Do not open a public issue. Use GitHub's Report a vulnerability feature on the repository Security tab. If private vulnerability reporting is unavailable, contact the repository owner through their GitHub profile without including exploit details in a public message.
Include the affected revision, prerequisites, reproduction steps, impact, and any known mitigation. Expect acknowledgement within seven calendar days. A fix or disclosure date depends on severity and reproducibility and will be agreed with the reporter where practical.