Security fixes are handled on the latest released minor version.

Report security issues through the public repository's private vulnerability reporting channel if it is enabled. If private reporting is not available, email the maintainers listed in the repository metadata.

Do not open a public issue for a vulnerability until maintainers have confirmed that disclosure is appropriate.