We support only the latest version, and we use CalVer for versioning.
You should feel comfortable upgrading if you're using our documented public APIs and pay attention to DeprecationWarnings. Whenever there is a need to break compatibility, it is announced in the Changelog and will raise a DeprecationWarning before it's finally really broken.
If you think you found a vulnerability, please report it at nebari/security. Please do not report security vulnerabilities on our public issue tracker. Exposing vulnerabilities publicly without giving maintainers a chance to release a fix puts users at risk.