Security fixes are applied to the latest release on the default branch (main) and, when relevant, backported to the most recent tagged release. Use the latest tag or main for deployments.
Please do not open a public issue for security reports.
- Use GitHub Security Advisories for this repository (preferred).
- If you cannot use advisories, email the maintainer privately (see profile on github.com/samson-art).
Include: affected version or commit, steps to reproduce, and impact if known. We aim to acknowledge within a few business days; resolution time depends on severity and complexity.
Reports should concern this codebase and its distribution (API, MCP server, Docker images published under this project). Third-party tools (e.g. yt-dlp), platform terms of service, and client-side misuse are outside this policy.