This project should be low risk, because it runs locally in your IDE or your browser, and doesn't open any network connections.

No vulnerabilities have been reported, so all versions are still supported for security updates.

Report vulnerabilities on GitHub at the project's security advisories page. You should expect to get a response within a month (probably much faster). If the vulnerability is accepted, you should expect to see a patched release. If not, you should get an explanation of why it was not accepted or how the vulnerability can be avoided.