Security fixes are applied to the latest development line first.

Please report vulnerabilities through GitHub Security Advisories for this repository or contact the maintainers privately. Do not open a public issue for an unpatched security problem.

Reports are especially helpful when they involve:

• unexpected code execution through provider factories or container hooks;
• token collisions or registry behavior that can resolve the wrong dependency;
• metadata leaks that expose implementation details across package boundaries; or
• denial-of-service style resolution loops that can be triggered by untrusted input.