You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are a research team dedicated to Golang, have discovered that CVE-2021-4235 was addressed in commit caeefd8. However, upon analyzing the commit, we observed that the patch version (v2.2.3) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:
Issues with testing and CI checking.
Other commits requiring inclusion in a single release.
By convention, infrequent release of versions.
Other reasons.
We appreciate your attention to this matter and eagerly await your response. Thank you.
The text was updated successfully, but these errors were encountered:
@Silence-worker-02 I'm not a maintainer of this repo, but I'm surprised that your list of potential causes doesn't include the obvious: Most open source library projects are under-funded and run by individuals on their spare time. These individuals have their own set of priorities that may not align with the security researchers (e.g. the CVE in question is not critical if you only use YAML as a internal only facing config format).
We are a research team dedicated to Golang, have discovered that CVE-2021-4235 was addressed in commit caeefd8. However, upon analyzing the commit, we observed that the patch version (v2.2.3) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:
We appreciate your attention to this matter and eagerly await your response. Thank you.
The text was updated successfully, but these errors were encountered: