# Security Policy

## Supported Versions

All MAJOR versions of this package will receive security updates for **two years after the next major version is released**. For example, if version 4.0.0 is released, version 3.x will continue receiving security updates for two years from that date.

Versions outside this window are considered end-of-life and will no longer receive updates, even for critical vulnerabilities.

## Reporting a Vulnerability

If you discover a security issue, please report it using GitHub's [**"Report a vulnerability"** feature](../../security/advisories/new) under the **Security** tab of this repository.

When reporting, please include the following information to help us investigate quickly and thoroughly:

- A clear description of the vulnerability and what part of the code it affects.
- Steps to reproduce the issue, ideally including:
  - The affected version
  - A code snippet or minimal test case
  - The expected vs. actual behavior
- If applicable, an explanation of potential impact or severity.
- Any suggested mitigations or patches (optional, but appreciated).

Please do not disclose the vulnerability publicly until we've had a chance to investigate and publish a fix.

We appreciate responsible disclosure and are committed to resolving issues promptly.