logoalt Hacker News

bstsbyesterday at 10:29 PM2 repliesview on HN

> The default applies only to version updates. Security updates still open immediately, so critical fixes are never delayed.

does this require a real vulnerability report, or CVE? if the package is compromised would they just be able to push a false "critical update" that bypasses this wait?


Replies

MeetingsBrowseryesterday at 11:22 PM

Requires a GitHub security advisory and

> Only advisories reviewed by GitHub trigger alerts.

From https://docs.github.com/en/code-security/concepts/supply-cha...

doctorpanglosstoday at 12:34 AM

The idiocy of cooldowns speaks for itself.