Security fixes are applied on main.

Please report vulnerabilities privately via GitHub Security Advisories for this repository.

If advisory reporting is unavailable, open a private issue with reproduction steps, impact, and suggested fix.

Do not disclose vulnerability details publicly before a fix is available.