Question about 6.0 (and maybe minor 5.x?) release

[camille-hdl]

Hello,

First, thank you for your work on Cantaloupe!

At the end of July, I submitted a PR to fix CVE-2023-37460 which was then merged ( see #673 ).
During the july 31 meeting, the question of doing a release was discussed, however it wasn't yet decided if it would be a 5.x or a 6.0, but 6.0 was more likely. It was then said that if there was a release, it probably wouldn't be before fall.

My question is: is there an (I hate to say the word) estimated 6.0 release window? If there isn't, would you consider releasing a 5.X patch that includes the CVE-2023-37460 fix?

The problem here is that automated security tools analyse the dependencies of the latest release, find the bad dependency, and therefore flag the whole project as a risk. I realize that the CVE is on a transitive dependency used only at the build step, and that the actual risk incurred is probably trivial if it even exists, however security analysis tools don't have that nuance.

I initially made the PR on the 5.0 branch, but we later merged it on develop. I can make another PR on release/5.0 if you're willing to release the patch.

I hope this doesn't come out as the stereotypical open source user demanding work from maintainers. While this release would honestly make my life easier, I totally understand if it's not possible.

Camille