How are the audit advisories updated? And by whom?
Case in point, static-eval advisory lists no unaffected versions, but apparently the most recent version 2.0.2 is not affected.
How is this information updated?
For future reference, if one of my packages is singled out, what do I need to do beyond publishing a fixed version?