Do not open a public issue for security problems.
Use GitHub private vulnerability reporting: Security → Report a vulnerability on the affected repository. The report stays private between you and the maintainers.
Only the latest release of each project receives security fixes.
- First response within 72 hours.
- The fix is coordinated privately: patch, then release, then advisory.
- You get credit in the advisory unless you prefer otherwise.