Please do not disclose security issues publicly until maintainers have reviewed them.

Use GitHub private vulnerability reporting when available.

Security-sensitive areas include:

• repository access;
• secrets;
• automation;
• hooks and external event sources;
• extension execution;
• approval and audit logs;
• local file and terminal access in native clients.