In the unlikely event that you discover a security problem, do not report it as an issue! This will make it public, and for security problems, this is very bad.

Instead, please contact me directly regarding security problems. I will do my best to fix it, release a new version, and issue a security advisory for previous affected versions. If it's really serious, I may temporarily lockdown the repository.

Don't fret about whether something is serious enough to warrant directly contacting me—if you think it's a security vulnerability, it probably is. It is completely reasonable to be a bit overzealous with something as important as security. If you really want to be sure, you can check the Common Weakness Enumerators database to see if there's an entry: https://cwe.mitre.org/.