We just need to follow responsible disclosure first by notifying the maintainers, working with them on a fix, and making it public once it is resolved.