By default we only support the latest version for all bugfixes, though we're open to discussion if there's evidence of wider deployment. Libraries.io statistics can be useful in assessing exposure, though we acknowledge there are private pools not represented by public stats.

You can use GitHub to privately report a vulnerability here, or if you do not have a GitHub account, contact the repository owner via the email on the About section of the website linked from their profile page. At the time of writing: https://sedimental.org/about.html