If you believe you have found a security vulnerability, please report it through GitHub Security Advisories with a detailed description of the issue, including:

• A clear explanation of the vulnerability.
• Steps to reproduce (proof-of-concept if possible).
• The affected versions and environment (OS, browser, runtime, etc.).
• Any potential impact you have identified.

Please do not open a public issue for security reports.

We aim to:

• Acknowledge receipt of your report within 3 business days.
• Provide an initial assessment or request for more information within 7 business days.
• Keep you informed of the progress and expected timelines for a fix.

After we confirm the vulnerability and prepare a fix, we will coordinate a disclosure timeline with you. In general, we prefer responsible disclosure: please do not publicly disclose the vulnerability until a fix has been released and users have had a reasonable opportunity to update.