Security fixes are applied to the latest version.
If you find a potential security issue, please report it to info@martin-thoma.de (the current maintainer).
We will try to find a fix in a timely manner and will then issue a security advisory together with the update via GitHub (example).
If you don't get a reaction within 30 days, please open a public issue on GitHub.