A developer discovered a code injection vulnerability in their own open source shell library (dye) caused by combining eval with user-controlled template expressions. They walked through the full security advisory process: drafting the advisory on GitHub, requesting a CVE record, and coordinating a responsible disclosure sequence — releasing the fix, publishing the advisory, and listing the blog post in quick succession. GitHub's tooling made the process straightforward even for first-time maintainers.
Table of contents
Finding the vulnerabilityCode injection vulnerabilitiesWriting the advisoryPreparing for publicationTime to figure things outSort: