If you find a security issue, please do not open a public issue with exploit details.

Open a private GitHub security advisory or contact the maintainer through the repository profile.

hex-grid-kit is a client-side utility package. Security-sensitive areas are:

• SVG string rendering from user-provided labels or attributes.
• DOM mounting into a browser container.
• Handling untrusted coordinate or metadata values.

The package escapes rendered SVG text and attributes, but applications should still avoid passing untrusted HTML into their own surrounding UI.