[arp242]

> Secondly, this is just semantics.

It's absolutely not "semantics", because the amount and type of work involved is radically different. Some bug is something I can fix myself with a patch; a new release isn't something I can do at all.

> Fork, update the dependency or whatever reference to it, and submit back as a pull request.

IT HAS ALREADY BEEN FIXED. How many times do I need to repeat this?

[sickill]

Releasing takes time or at least effort. It’s not like it happens on it own. It’s work.

[bugglebeetle]

Indeed, the maintainer has commented on this very post that more work than simply tagging a release is involved with fixing, as well as that the CVE impact on their repo is bogus because they’re not actually affected by it.