If there are vulnerabilities in composer-patches, don’t hesitate to report them using the “Report a vulnerability” form.

Once we have either published a fix or declined to address the vulnerability for whatever reason, you are free to publicly disclose it. Please do not disclose the vulnerability publicly until a fix is released.