During initial development (v0.x.x), security updates are always included in minor releases and may be included in release notes and CHANGELOG.md.
If you find a potential security vulnerability please email security@davidlday.com rather than creating a public issue on GitHub.