We are following CalVer with generous backwards-compatibility guarantees. Therefore we only support the latest version.

That said, you shouldn't be afraid to upgrade if you're only using our documented public APIs and pay attention to DeprecationWarnings. Whenever there is a need to break compatibility, it is announced in the changelog and raises a DeprecationWarning for a year (if possible) before it's finally really broken.

To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.