All versions are supported, but it's recommended to stay on the always current version. There may be known vulnerabilities in development dependencies that are avoidable.

Vulnerabilities from version updates should have automated PRs from dependabot.

If there is a vulnerability in the code itself, please submit an issue (or also a PR if you have the solution), mentioning the vulnerability.