The preferred method for reporting a vulnerability is to use GitHub's vulnerability reporting tool. Within the report please include details about the vulnerability and how to reproduce it. Someone will reply to acknowledge receipt of the that the vulnerability report. After an initial investigation of the report, another message will be sent with details about how the maintainers plan to release the fix or asking for more information about the vulnerability report.

A description of the vulnerability will be made public after a new version has been published that addresses the issue or within 120 days, whichever occurs first.