Please DO NOT open an issue on Github for a security issue.

Please avoid publicly disclosing a security issue for at least 90 days after discovering it.

Instead, email cal@calpaterson.com to co-ordinate a fix and public disclosure of the issue.

I'm happy to give you full credit for any issues you discover.