Please do not report security vulnerabilities via public GitHub issues.

Instead, use GitHub Private Security Advisories to report a vulnerability.

You can also email the maintainer directly (see the npm package author field).

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgement: within 48 hours
• Initial assessment: within 7 days
• Fix or mitigation plan: within 30 days for high/critical issues

We will coordinate disclosure with you and credit you in the advisory unless you prefer to remain anonymous.