Please do not open GitHub issues or pull requests - this makes the problem immediately visible to everyone, including malicious actors.

To report a security issue, please use https://g.co/vulnz. We use g.co/vulnz for our intake, and do coordination and disclosure here on GitHub (including using GitHub Security Advisory). The Google Security Team will respond within 5 working days of your report on g.co/vulnz.