Hi!

My name is Jonathan Leitschuh, I'm a senior software security researcher for the Open Source Security Foundation. I've found what I believe to be a security vulnerability in OpenComputers. I'd like to privately report it to you as a vulnerability.

If you'd be so kind as to enable GitHub's private vulnerability reporting, I'll be more than happy to report the vulnerability to you there.

https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

Unfortunately, while I am the repository maintainer, the only person with the rights necessary to enable private vulnerability reporting on GitHub is @fnuecke - and he's not really around often. (I can push releases via GitHub workflows and handle commits, but not administration operations on the repository itself.)

I'm open to discuss alternate means of communicating the vulnerability.

If you can harass @fnuecke to enable PVR that would be great, in the short term, I'll create a report in my own repo and add you to it in the short term. It will come from https://github.com/JLLeitschuh/security-research

Ah, I prefer not to harass retired maintainers, no, but I have let him know.

The report can be found here: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-95qx-gfrp-3rjm

If there's anyone else you want me to add, give me their usernames and I'm happy to invite them!

Thanks for the report, and sorry for the delay! Enabled the feature now. If there's any additional steps you need me to do admin-wise on the repo, let me know.

Can you add @asiekierka either as a repo admin or an contributor so they can view the report I submitted?

Can you add @asiekierka either as a repo admin or an contributor so they can view the report I submitted?

Done!

Now that it is fixed could i hear what the security concern was?

The details are still being worked on. There will be a public announcement.

👍