Security updates are applied only to the most recent releases.

To securely report a vulnerability, please open an advisory on GitHub. This form is also accessible when submitting a new issue.

1. Your report will be acknowledged within two business days.
2. The team will investigate and update the issue with relevant information.
3. If the team does not confirm the report, no further action will be taken and the issue will be closed.
4. If the team confirms the report, the team will take action to fix it immediately:
   1. Commits will be handled in a private repository for review and testing.
   2. Release a new patch version from the private repository.
   3. Write a blog post disclosing the vulnerability.
   4. Notify Tidelift about the vulnerability.