To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.