If you find a vulnerability (especially anything that could make the publish path spend money, activate ads, or fabricate a readback), please use GitHub's private vulnerability reporting ("Report a vulnerability" under the Security tab) instead of opening a public issue.