the latest main branch is the supported code line for now. if npm releases are published later, the latest published release will be treated as the supported package version.

do not open a public issue for a sensitive vulnerability.

if GitHub private vulnerability reporting is enabled for this repository, use that channel. otherwise, contact Abedalaziz Alzweidi through the repository owner profile and include:

• the affected commit or version
• clear reproduction steps
• the impact you believe the issue has
• any suggested mitigation if you already have one

public discussion can follow after a fix or mitigation is available.