TL;DR: procmail is a security liability and has been abandoned
upstream for the last two decades. If you are still using it, you
should probably drop everything and at least remove its SUID
flag. There are plenty of alternatives to chose from, and conversion
is a one-time, acceptable trade-off.

procmail is unmaintained. The “Final release”, according to
Wikipedia, dates back to September 10, 2001 (3.22). That release
was shipped in Debian since then, all the way back from Debian 3.0
“woody”, twenty years ago.

Debian also ships 25 uploads on top of this, with 3.22-21 shipping the
“3.23pre” release that has been rumored since at least the November
2001, according to debian/changelog at least:

procmail (3.22-1) unstable; urgency=low

  * New upstream release, which uses the `standard' format for Maildir
    filenames and retries on name collision. It also contains some
    bug fixes from the 3.23pre snapshot dated 2001-09-13.
  * Removed `sendmail' from the Recommends field, since we already
    have `exim' (the default Debian MTA) and `mail-transport-agent'.
  * Removed suidmanager support. Conflicts: suidmanager (<< 0.50).
  * Added support for DEB_BUILD_OPTIONS in the source package.
  * README.Maildir: Do not use locking on the example recipe,
    since it's wrong to do so in this case.

 -- Santiago Vila   Wed, 21 N