Hello all What is our current policy about addressing CVEs in contrib extensions if we have one? As of now, before the release, the release manager will either try to fix the CVEs or add a suppression if applicable. Unless any developer has done that same work before the release process begins. This, however, is a tedious exercise for the release manager and for us maintainers. With contrib extensions added to the mix, there is a huge surface area for us to cover when it comes to managing CVEs in dependencies.
I propose excluding contrib extensions from our CVE checks so that RM can ignore those CVEs during the release. We don't ship the contrib extensions in distribution anyway, so it seems like a reasonable stance to me.
