You can find our security.txt here: security.txt

Do not open a public GitHub issue or submit a public pull request describing the vulnerability.

We use several automated mechanisms to help detect and reduce risk:

• GitHub code scanning for static analysis.
• Dependency scanning and alerts for known vulnerabilities.

• Automated dependency updates.
• Renovate is configured to only propose updates for packages that have been published for at least 3 days.
  This allows time for the ecosystem to discover and revert problematic releases.

pnpm is configured to ensure no dependency version newer than 24 hours is installed.