> Why would I care whether the Node runner has a security vulnerability?

I’m guessing they know you don’t care, but the big company customers cant have a CVE anywhere and won’t accept a EOL node version so they can check a box on something.

(I guess there’s also people with self hosted runners, who might be running them inside networks that aren’t segmented.)