We follow Calendar Versioning with generous backwards-compatibility guarantees. Therefore, we only support the latest version.
That said, you shouldn't be afraid to upgrade if you're only using our documented public APIs and pay attention to DeprecationWarnings.
Whenever there is a need to break compatibility, it is announced in the changelog and raises a DeprecationWarning for a year (if possible) before it's finally really broken.
Warning
What explicitly may change over time are the default hashing parameters and the behavior of the CLI interface.
To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.