This project uses an automated dependency update mechanism powered by Renovate, so vulnerabilities in the dependencies should be unlikely. If you do see a vulnerability in a dependency, that is not fixed within 24 hours of a patch becoming publicly available, please open an issue.
If you find a vulnerability in the project code itself, please e-mail the CODEOWNERS directly and DO NOT open an issue.