The truth isn't confidence inspiring, the truth can be even without selling something, its not here.
There is a risk that the network is compromised at any moment and cannot be relied upon, except for your own personal risk tolerance on the activity you are interested in.
To quote the article. " To the best of our knowledge, the attacks happened between 2019-2021."
and
" This protection exists in Ricochet-Refresh, a maintained fork of the long-retired project Ricochet, since version 3.0.12 released in June of 2022."
While it has been fixed for years it was not a case of using old software from what I am reading.
The vulnerability is mitigated by shifting the economic incentives, not fixed by making it impossible. It can't be fixed without a completely different network design, like in Mixminion or Katzenpost. Someone suggested I2P, but it's mostly fundamentally the same as Tor. It uses unidirectional tunnels, which might help.
But the things that do inspire confidence:
Tor is updated against vulnerabilities pre-emptively, years before the vulnerability is known to be leveraged
Tor Project happens to be investigating the attack vector of the specific tor client, which is years outdated
They should have just said “we fixed that vulnerability in 2022”
with a separate article about the old software