Why were the patch versions for CVE-2022-34969 released so late?

We are a research team dedicated to Golang, have discovered that CVE-2022-34969 was addressed in commit e1f9e0affe2e20fbccb8c7bd22350eef67813953. However, upon analyzing the commit, we observed that the patch version (v6.3.0-alpha) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:

  1. Issues with testing and CI checking.
  2. Other commits requiring inclusion in a single release.
  3. By convention, infrequent release of versions.
  4. Other reasons.
    We appreciate your attention to this matter and eagerly await your response. Thank you.


v6.3.0-alpha is not a release version. So I assume this was included in v6.3.0 when it was released. Then for v6.2.0: This was a development milestone release (DMR) and not a LTS version. We only release patches for LTS versions. The latest LTS at that point was v6.1.x, so that’s where we released a patched version.

Hope this explains at least part of your question.