> prefer the oldest version satisfying the given constraints

The problem is there's no metadata for which versions fix security bugs, and therefore which previous versions are now insecure.