Security fixes target the latest release on main until the project publishes formal versioned support.

Please do not open a public issue for security-sensitive reports. Use GitHub Security Advisories if they are enabled for the repository, or contact the maintainer through GitHub with a minimal description that does not expose private audio, API keys, or credentials.

Useful reports include:

• Secret leakage paths
• Unsafe handling of local reference audio
• Cross-site scripting or browser injection issues
• Server-side request or file access issues
• Cost-amplification paths against paid Fish Audio API usage

This project is intended for references you have permission to use. Reports about abuse-enabling workflows are welcome, especially when they include a concrete mitigation.