Only the latest release receives security fixes.
Please do not report security vulnerabilities through public GitHub issues.
Use GitHub's private vulnerability reporting instead:
Include a description of the issue, reproduction steps, and the potential impact. Reports are reviewed promptly and you will receive a response within 7 days.
Once a fix is confirmed, a patched release will be published and the advisory will be made public with credit to the reporter (unless you prefer to remain anonymous).