If you discover a bypass that allows obvious impersonation, route collision, or severe unsafe terms, please open a private security report if the repository has private vulnerability reporting enabled.

Do not publicly post a long list of bypass examples before the maintainer has a chance to patch the package.