Security policy questions

[bbenjamin]

I read ther

The Drupal project is considering adding a feature that includes this library as a dependency

We perform an evaluation for every dependency we introduce. Most of our security/release questions were covered by the documented Tidelift Secuirty Process, but I had a few things that would be great to have clarified:

Backwards compatibility guarantees
Were a new major release to happen, Are there any guarantees that a given prior release would be supported for some period of time (an LTS version, for example), with the understanding that things possibly changed between 4 and 5?

Security release guarantees
Similar to the above, but specific to security. Is there a backport policy for security releases. Is there a window where earlier major releases are assured to receive (when needed) any security fixes provided to the current release?

It's possible I missed these somewhere as this project+Tidelift are quite well documented. Could you direct me to the relevant policies provide clarification here?

Thanks for your help with our review process!

[domenic]

No previous releases are supported. As a volunteer project, we only ever support the latest-released version. No backports will be performed.

Hope this helps!

[bbenjamin]

Definitely helpful, thank you for the quick response!