Remix.run Logo
bstsb 2 hours ago

> The default applies only to version updates. Security updates still open immediately, so critical fixes are never delayed.

does this require a real vulnerability report, or CVE? if the package is compromised would they just be able to push a false "critical update" that bypasses this wait?

MeetingsBrowser an hour ago | parent [-]

Requires a GitHub security advisory and

> Only advisories reviewed by GitHub trigger alerts.

From https://docs.github.com/en/code-security/concepts/supply-cha...