Please report security vulnerabilities privately rather than opening a public issue.
Use GitHub's private vulnerability reporting: open the Security tab and click "Report a vulnerability". This creates a private advisory visible only to you and the maintainers.
We aim to acknowledge reports within a few working days and will keep you informed as we investigate and prepare a fix. When a fix is released we publish a security advisory and credit the reporter unless you prefer to remain anonymous.
Security fixes are made against the latest released version. Please make sure you are on the most recent release before reporting an issue.