We release patches for the latest major.minor version.

Please report security issues via GitHub Security Advisories ("Report a vulnerability" in the repository Security tab) or e-mail the CODEOWNERS directly. DO NOT open an issue.

We use Renovate to automatically keep dependencies up to date. Routine updates are merged only after a 3-day delay ("cool-down") to reduce supply-chain risk from freshly compromised releases. High or critical severity vulnerabilities may be upgraded immediately; feel free to open an issue if urgent remediation is needed or if an automatic PR has not appeared.

We kindly request you avoid public disclosure until a fix is available. We will coordinate a CVE if appropriate.