All MAJOR versions of this package will receive security updates for two years after the next major version is released. For example, if version 4.0.0 is released, version 3.x will continue receiving security updates for two years from that date.

Versions outside this window are considered end-of-life and will no longer receive updates, even for critical vulnerabilities.

If you discover a security issue, please report it using GitHub's "Report a vulnerability" feature under the Security tab of this repository.

When reporting, please include the following information to help us investigate quickly and thoroughly:

• A clear description of the vulnerability and what part of the code it affects.
• Steps to reproduce the issue, ideally including:
  • The affected version
  • A code snippet or minimal test case
  • The expected vs. actual behavior
• If applicable, an explanation of potential impact or severity.
• Any suggested mitigations or patches (optional, but appreciated).

Please do not disclose the vulnerability publicly until we've had a chance to investigate and publish a fix.

We appreciate responsible disclosure and are committed to resolving issues promptly.