Security fixes will be released as a new version. Since the API is relatively stable and this is a small project, we release security fixes in new releases.

To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.