Why were the patch versions for CVE-2022-40931 released so late?

[Silence-worker-02]

Hello, we are a research team working on Golang. During our investigation, we found CVE-2022-40931 was addressed in commit 31ad4e01e158497519f8680c187e1ceb8594c59d. However, we noticed that the patch version (v1.5.0) was released after long time (202 days). We are curious about the reasons behind the delayed release of the patch version, as it may hinder the efficient distribution of patches to downstream users. Could the reason be

1.Issues with testing and CI checking.

2.Other commits have to be incorporated into one release.

3.By convention, versions are not frequently released.

4.Other reasons.

Thank you for your attention, and we look forward to receiving your reply.

[aspacca]

Hello,

according to the personal time available to the mantainers during a specific time frrame, versions are not frequently released.

We'll keep an eye to release a new patch version as soon as we'll be aware and fixed to be affected by another security issue