Only the latest version is supported, unless a maintained branch exists for an older major (e.g. 2.x.x).

That said, if an unsupported version still has significant download numbers and you believe a vulnerability could have real impact, please report it anyway — it will be considered.

To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.

When reporting, please include as much detail as possible:

• A description of the vulnerability and its impact
• Steps to reproduce (a minimal reproduction is ideal)
• Affected version(s)
• Any suggested fix or mitigation, if you have one

• Acknowledgement of your report within a reasonable delay.
• Confirmation of the issue and an assessment of its severity.
• A fix released as soon as reasonably possible, with credit to the reporter (unless you'd rather stay anonymous).

This is an open source project maintained on a best-effort basis, so timelines may vary — thanks for your understanding, and for helping keep the ecosystem safe.