NodeJS has a clear support schedule for releases. Once a version of nodejs is EOL, the node team stops backporting security fixes. And you should really stop using it. Here's the calendar:

https://nodejs.org/en/about/previous-releases

Here's a list of known security vulnerabilities affecting old versions of nodejs:

https://nodejs.org/en/about/eol

In my opinion, npm packages should only support maintained versions of nodejs. If you want to run an ancient, unsupported version of nodejs with security vulnerabilities, you're on your own.