If you discover a security issue, please do not open a public GitHub issue first.
Instead, report it privately through GitHub Security Advisories or the maintainer contact path chosen for this repository.
Please include:
- affected package or app
- reproduction steps
- impact
- suggested mitigation, if known
Security-sensitive areas may include:
- runtime event contracts
- worker/runtime boundaries
- Web Component embedding surfaces
- WASM loading and fallback behavior
- host-controlled graph/document input paths
We will try to:
- acknowledge the report
- assess severity
- provide a fix or mitigation path
- disclose publicly only after a fix or safe mitigation is available