Especially as the fixes seemingly have been going into their public GitHub branch for days, since the report. I wonder if that was a conscious choice or negligience, maybe I'm missing something? I would expect these to be released as patches/merged in when the vulnerability is published, like a lot of other security-critical open source software does it.