| ▲ | bstsb 2 hours ago | |
> The default applies only to version updates. Security updates still open immediately, so critical fixes are never delayed. does this require a real vulnerability report, or CVE? if the package is compromised would they just be able to push a false "critical update" that bypasses this wait? | ||
| ▲ | MeetingsBrowser an hour ago | parent [-] | |
Requires a GitHub security advisory and > Only advisories reviewed by GitHub trigger alerts. From https://docs.github.com/en/code-security/concepts/supply-cha... | ||