Multiple unpatched critical/high CVEs

[k3an3]

As per https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/, multiple critical and high CVEs were reported to Gogs maintainers in April 2023 but have not been addressed:

Argument Injection in the built-in SSH server (CVE-2024-39930, CVSS 9.9 Critical) Argument Injection when tagging new releases (CVE-2024-39933, CVSS 7.7 High) Argument Injection during changes preview (CVE-2024-39932, CVSS 9.9 Critical) Deletion of internal files (CVE-2024-39931, CVSS 9.9 Critical)

Is this project still alive? Strongly considering switching to Gitea where these issues are not present.

[Elikill58]

Is this project still alive?

I think no

[fnetX]

I am a member of the Forgejo security team, and we have tried to inform Gogs about vulnerabilities we discovered in our codebase and traced back to Gogs. However, we haven't had much luck either. Shortly after we reported a critical vulnerability, the security policy of Gogs was updated and does no longer accept reports via email, so we'll likely stop bothering about Gogs.

[linghengqian]

@unknwon I see the main branch is always updated. Is it possible to release a new version recently?