Security fixes are applied to the latest minor release.

Open a private security advisory on GitHub, or email the maintainer listed in the package metadata.

Webring Kit intentionally does not execute code from ring manifests.

• Ring JSON is treated as untrusted input.
• URLs are validated and restricted to http: and https:.
• Site titles and descriptions are rendered with textContent, never innerHTML.
• _blank links use rel="noopener noreferrer".
• The widget does not set cookies.
• localStorage caching is opt-in.
• The CLI can verify reciprocal links and well-known ownership files.