The work is presumably publicly available in a branch at that point. Nothing is stopping that person from forking the repo, and bundling their own release.
They should fork the entire project and launch a competing project rather than ask for a ballpark for the next release so they can inform their stakeholders?
You seem to be incapable of understanding that it is quite possible and not at all unusual to internally carry patches to dependencies on which your commercial product is built. In this case, the patch merely involves changing two bytes[1], three if you include the pyOpenSSL bump, something a company like IBM should easily be able to do.