New patch release with CVE fixes

[nathanlaceyraft]

Would it be possible to get a patch release with the CVE fixes?

#2383 and
#2381

thanks

[alixander]

Do these actually have material impact? I'm genuinely curious, does using the software without these patches pose safety concerns for you? Or is there some other external requirement?

[nathanlaceyraft]

Some scanners like Trivy don't use modern govulncheck, and as such, can have 'false alarms' ea say something is a CVE that isn't actually being called.

But the 2 patches that have been merged, represent actually possible vulnerabilities.
As listed by govulnchbeck (ea code path is actually called)

Once I get a patch version, of d2, than I need to work with yuzutech/kroki to update d2

fyi, if you were creating library only, third party users of your package, should be able to update patch releases, locally ...
but when you deliver a binary, there isn't any other way to resolve CVE's (short of forking repo)

Thanks for creating/maintaining software for community!

[nathanlaceyraft]

also, like I was showing in #2381,
you could make GitHub automatically create PR's to help your project stay free of CVE's, by Enabling Dependabot.

Thanks