primeos-work
commented
8 months ago Hm, it looks GitHub noticed that the two dependabot security alerts are fixed now but somehow GitHub doesn't make the association to this PR (yet?)...
Maybe it's better to merge the dependabot PRs then. IMO it would be nice to indicated security fixes both in commit messages and via the GitHub UI to make the process as transparent as possible (IMO secrecy only makes sense before merging the fixes - in the case of butido).
This fixes all current security issues that dependabot reported. It replaces #338 and #344 (those PRs would be fine too but I prefer mentioning the security fixes in the commit messages - I'll check if the dependabot behavior can be configured to better mark security fixes).