Please do not open a public issue for security problems.

Instead, report privately via:

• GitHub Security Advisories (preferred)

Please include steps to reproduce and the affected version (tag or commit). We aim to acknowledge reports within a few days and will keep you updated on the fix.

• shiftjis_download.gs — runs inside Google Apps Script; uses only built-in services and contains no secrets.
• tools/verify_csv.py — a zero-dependency local CLI; reads files you point it at and (with --fix) overwrites the target after creating a .bak.

This project has no third-party dependencies, which keeps the supply-chain surface minimal.

The latest released version receives fixes.