Packages are versioned and released independently. Security fixes normally target the latest published release line for the affected package, and maintainers may ask reporters to verify the issue against the current release before coordinating a fix.

Use GitHub private vulnerability reporting if it is enabled for the affected repository.

If private vulnerability reporting is not available, open a minimal issue without exploit details. Maintainers will coordinate privately before public disclosure.