potiuk commented on PR #59073: URL: https://github.com/apache/airflow/pull/59073#issuecomment-3634888187
> No need to be rude. I just asked if this addressed that as it seemed like it would since that CVE mentioned needing to bump react to 19.2.1 and react-dom 19.2.1 that seemed to be addressed here and after looking at the code it wasn't clear to me if this security issue was a problem. The version is definitely one of the affected so I don't think it was an unreasonable question. React != react-server-components. In all articles about the issue it's very clearly specifed which components are updated. And it's a great opportunity to remind people that there are ways to check it. You are not the first one who did not look in detail but saw "react" and did not check that it was really "react-server-components", there were few others with difference channels who did not check we are not using it. If everyone - like you and them - would do the same, we would have to spend the whole day just answering. You have to be really careful when you mention a security issue in publick - it might not only be "irresponsive disclosure". This immediately triggers maintainers alert - and might drag attention of malicious actors who might want to use it against the project, So by publicly commenting on it you are putting the project in danger, if in-fact we would be affected. Our project have very clear policies, describing what you should do when you suspect security issue. Commenting on public PRs and issues is NOT the way it should be done. I recommend you check it (Security tab in GitHub project - easy to find). Also - to be perfectly honest - the harsh tone is deliberate. Since those issues are public - I treat it as a teaching and unfortunately this time it was your turn - I hope this will serve as an example to others who will likely find the issue and learn about SBOMS and ways they should check things. If we receive 1000 questions like yours and 1 on of them will be important - we migh miss it, so I prefer to be slightly rude and through that have less of such questions - no more. This is really a sign we are treating security seriously - and we simply ask our users to do the same. Just that. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
