I am a bit unclear when we should be some issues, and when we should be marking them as no-DSA (or similar).
For example, webpack was three issues: - CVE-2019-1010315: divide by zero - CVE-2019-1010317: use of uninitialized memory. - CVE-2019-1010319: use of uninitialized memory. All three issues have been marked no-DSA by the security team. Does that mean we should do the same thing? I don't think there is any proven direct security vulnerabilty (other then maybe a DOS attack by killing a remote service), however that does not mean there isn't a security vulnerabilty, especially for the 2nd two CVEs. -- Brian May <[email protected]>
