Security fixes are prioritized for the latest published 0.x release line and main.

Please report vulnerabilities privately to steven@usejunior.com.

Include:

• affected package(s) and version(s)
• reproduction steps or proof of concept
• impact assessment
• suggested mitigation (if available)

Do not open a public issue for an unpatched vulnerability.

• Initial acknowledgement target: within 3 business days.
• Triage and severity assessment target: within 7 business days.
• Fix timeline depends on severity and complexity.

• safe-docx is intended for local execution and local file editing workflows.
• External dependencies are monitored through normal dependency updates and CI.