Only the latest release receives security patches.
Use GitHub's private vulnerability reporting to report security issues. Do not open a public issue.
Expected response: acknowledgement within 48 hours, fix or mitigation within 90 days depending on severity.