We backport changes to the most current minor version. For example, once v1.4.0 has been released, changes will only be backported to the 1.4.x branch to make releases 1.4.1, 1.4.2, and so on. The CVE fixed with v1.4.2 will not be backported to the 1.3 branch. While that might be possible for this specific case, it’s not something we want to do regularly because our usage of any given dependency can change across minor versions and make backporting very risky.