Security fixes are provided for the latest released version of pdf-mutation. Older releases may receive fixes when the impact is high and the patch is small, but only the latest release should be considered actively supported.

Do not report suspected vulnerabilities in public issues.

Use GitHub private vulnerability reporting or open a private security advisory for the CochranResearchGroup/pdf-mutation repository. Include:

• The affected version or commit.
• A minimal reproduction case that does not include private PDFs.
• The expected impact.
• Any known workaround.

The maintainers will triage reports as time permits and coordinate public disclosure after a fix is available.

This tool is often used with sensitive PDFs. Do not attach private documents to public issues, pull requests, release discussions, or vulnerability reports. Prefer synthetic PDFs or reduced QDF snippets that demonstrate the issue without exposing private data.