Only report security vulnerabilities on the latest, or a couple versions behind. If it's something from an old update, then don't bother, unless it's still in the newest version, then please, report it.
Please, report it in an Issue in the GitHub repo. Make sure to mark it as confidential. If possible, it would be great to fix it if you know how, and open a PR. If you don't know how, don't sweat it. I'll try and be on it ASAP.