We often run master on production systems or slightly behind master. Tagged releases of all web components in this repo are published to npm and managed via lerna. If we get a security issue in a specific version, we are going to fix it in a newer release of the web component and you should update to the latest stable at that time.
Security related issues should be filed in our general issue queue https://github.com/elmsln/issues/issues