clang-tidy-vs visual studio plugin in clang-tools-extra contains a security vulnerability in the YamlDotNet package 1. Github flags the code in clang-tools-extra as a high priority security vulnerability. If you’re an admin of a custom fork of the llvm-project monorepo on Github, you get a banner every time you open the GitHub webpage for the repo, and an additional weekly email about this high priority vulnerability.
I’ve emailed Zachary, who originally added the plugin about this issue, and also filed a bug report on llvm.org 2. From what I gathered so far, I don’t think Zachary works on llvm-project anymore, would there be anyone else who’d be interested in updating the plugin to address the vulnerability? If not, would it be reasonable to remove this plugin from llvm-project entirely?