Report a vulnerability to the author directly.

You can expect to get an update on a reported vulnerability within 2 working days.

I'm using dependabot to scan for security issues and update dependencies in the develop branch regularly.