Security fixes are handled on each repository's default branch unless that repository says otherwise.
Do not publish exploit details, credentials, tokens, private URLs, screenshots, logs, or personal data in a public issue.
If the repository shows GitHub's Report a vulnerability button, use that flow so the report stays private. If private vulnerability reporting is unavailable, open a minimal issue asking for a private contact channel and leave sensitive details out of the issue body.
Active Node projects should keep lockfiles committed, use dependency audits where configured, and review Dependabot updates promptly.
These repositories are personal, coursework, portfolio, or experiment projects. They do not provide a production support SLA, but security reports will be reviewed as practical.