Supported version: the latest main. chad is pre-1.0 and single-user; fixes land on
main, not on backported releases.
Reporting a vulnerability: report privately via GitHub Security Advisories — the "Report a vulnerability" button on the repo's Security tab — not a public issue.
CodeQL and a dependency audit already run in CI on every push
(.github/workflows/codeql.yml, .github/workflows/security.yml).