Runner's python dependency chain requires daemon, which in turn require lockfile (at least that's how the rpms are built!). The issue is that lockfile is deprecated - https://pypi.org/project/lockfile/ so any security related issues relating to that package may not be addressed leading to a potential exposure in runner itself.

This is also covered in a downstream BZ - https://bugzilla.redhat.com/show_bug.cgi?id=1758507