Starting the conversation on how to handle the additions of knownVulnerabilities.
I am more inclined on merging as soon as possible to notify affected downstream users when doing so doesn't cause mass breakages but there is no policy/procedure in place specially around how to notify maintainers.
This issue was raised as a comment on marking qt5.webengine having known vulnerabilities: #435067 (comment)
cc @NixOS/security
Starting the conversation on how to handle the additions of knownVulnerabilities.
I am more inclined on merging as soon as possible to notify affected downstream users when doing so doesn't cause mass breakages but there is no policy/procedure in place specially around how to notify maintainers.
This issue was raised as a comment on marking qt5.webengine having known vulnerabilities: #435067 (comment)
cc @NixOS/security