Great work but is it contributed back to the vendors?

[benedekh]

Hi Team,

Thanks for the great work you are doing by patching the (security) vulnerabilities in the open-source projects! 🎉👏🙏

One quick question: do you contribute these patches back to the vendors or just collect it here?

I've seen that in case of the ip npm package you proposed your fixes in a comment of a pull request that fixes the same problem in a different way.

However, in case of jackson-databind, I have not seen your proposed fixes in their repository. (Maybe I've missed the PR.)

I think, it would be a huge loss if your patches would be just laying around here without being contributed to the vendors, thereby helping their efforts of closing security loopholes and making the software ecosystem more secure and reliable.

[itamarsher]

Hi @benedekh
Thank you for your kind words!
Due to the number of patches we produce + maintainers generally not accepting PRs for unmaintained branches (just an example: mde/ejs#580) - we decided to leave that effort up to the community/maintainers.

If you wish to pull the built artifacts directly, our artifact server is free for open source projects/individuals, and you can automatically apply the patches using the CLI https://github.com/seal-community/cli.