Security issues or vulnerabilities should be reported privately using GitHub's vulnerability reporting. This option is available on the "Security" section in the repository. Additional information is available on the GitHub Documentation.
If using GitHub reports is not preferred or you do not have a GitHub account, email at kevin@vcsjones.dev is acceptable. If necessary, email content can be encrypted using age using the following recipient key:
age1jns778dpwkxta0e6tjv3345jy6dfr8a8mq9xznge7muyz6nu0v5sg7x6wn
E-mail responses and handling will be slower than using the GitHub provided mechanism.