• Please report vulnerabilities privately via GitHub Security Advisories or email: [email protected].
• Do not open public issues for sensitive reports.
• We aim to respond within 3 business days.

Scope: bin/, src/, and release artifacts. Do not test production npm tokens or secrets.