How does fixing such vulnerabilities work in practice? Is he going to patch the code in private branches so that nobody can infer the vulnerability from the commit, or will people be expected to update to the latest commit if he pushes to the public repo?