To report a security vulnerability please open a new issue with the label security. Security issues are a priority, and we aim to resolve them within 48 hours. If a security vulnerability cannot be resolved by us, we will raise the issue upstream with relevant parties such as 3rd party package managers.

If you need to reach out regarding a security issue that is critically urgent then you can reach out directly to @jamesrweb.