Please do not publish suspected vulnerabilities in a public issue.
Use GitHub private vulnerability reporting and include the affected version, reproduction steps, and expected impact. Reports should distinguish package behavior from demo-only behavior when possible.
The latest tagged release receives security fixes. Older releases may require upgrading.