Why were the patch versions for CVE-2021-4235 released so late?

[Silence-worker-02]

We are a research team dedicated to Golang, have discovered that CVE-2021-4235 was addressed in commit caeefd8. However, upon analyzing the commit, we observed that the patch version (v2.2.3) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:

1. Issues with testing and CI checking.
2. Other commits requiring inclusion in a single release.
3. By convention, infrequent release of versions.
4. Other reasons.
   We appreciate your attention to this matter and eagerly await your response. Thank you.

[bep]

@Silence-worker-02 I'm not a maintainer of this repo, but I'm surprised that your list of potential causes doesn't include the obvious: Most open source library projects are under-funded and run by individuals on their spare time. These individuals have their own set of priorities that may not align with the security researchers (e.g. the CVE in question is not critical if you only use YAML as a internal only facing config format).