The full threat model, SSRF/cache/retry guidance, and local security checks live in SECURITY.md at the repository root (also shipped on npm).

Please do not open a public issue for undisclosed security defects.

• Prefer a GitHub private security advisory for this repository, or
• Contact the maintainer privately if you cannot use GitHub advisories.

Include enough detail to reproduce or reason about impact. We aim to acknowledge valid reports and coordinate disclosure after a fix is available.