Github performs security tests on submissions, and wouldn't allow anything obvious, eg, malware. Vulnerabilities are a bit more 'relaxed' though, depending on the vulnerability.
Patches and vulnerabilities from third-party components are added frequently, and this is evident in the pull requests - you can see dependabot identifying updates and these get applied. This is semi-automatic. Someone manually pushes the updates, but this is frequent.
The upgrade cycle happens infrequently .. usually six months to a year, depending on the number of updates. This is only a small team and now the 'core' application has been created, only minor bugfixes are now maintained. We try to keep up with issues, but this is a hobby project, not 'full time' and the team have jobs, real-life, etc.
Finally I would add that all the source code is freely available, so anyone can spot obvious security issues. While we allow pull requests from others, these are not blindly applied, and all code is vetted before being applied. So someone can't write malicious code and get it added into the official application. Of course being open-source they can fork it and mangle it and pretend its official .. so all releases should be virus-checked, etc, and ensure they come from the proper source .. as with all software.