devel branch serves for stable-ish development and is supported,
but branches devel-* are considered short lived and are not supported separately.Due to its nature as a unit test framework, Catch2 shouldn't interact with untrusted inputs and there shouldn't be many security vulnerabilities in it.
However, if you find one you send email to martin  horenovsky 
gmail  com. If you want to encrypt the email, my pgp key is
E29C 46F3 B8A7 5028 6079 3B7D ECC9 C20E 314B 2360.