Security fixes are handled on the main branch until versioned releases are introduced.

Please do not open a public issue with exploit details.

Use GitHub private vulnerability reporting or GitHub Security Advisories when available. If private reporting is not enabled, open a public issue that only asks for a security contact and does not include payloads, credentials, database dumps, or reproduction details.

This project uses pnpm audit --audit-level moderate in CI and Dependabot for npm and GitHub Actions updates.