Security fixes are applied to the latest code on the default branch until versioned releases are published.
Do not open a public issue for a suspected vulnerability or exposed credential. Use GitHub's private security-advisory form and include reproduction steps, impact, affected versions, and any suggested remediation.
If a real credential or customer record appears in the repository, revoke or rotate the credential first, then report the exposure privately. Removing a value from a later commit does not remove it from Git history.