tl;dr: This is a great, important topic. The potential vulnerabilities listed in the original post are low risk. The opportunity to improve communication about the topic of Security is timely and important.
To be clear, we do utilize GitHub security tools and have continual dependency scans running in the background. When the Core Team maintainers receive alerts, we assess and take action. This is not publicly visible activity for, well, security reasons.
There’s improved communication action we can and will take. Thank you for nudging us in this direction.
Two final things:
- a part of the assessment is evaluating what and where there is a security risk and then taking appropriate action. In the case of development-only tooling, e.g. Storybook, the risk is much lower
- Redwood Framework Security != Security of Applications built on Redwood → Of course we want to ensure security best practices and make the framework as secure as possible (this is our responsibility) — ultimately security rests in the hands of the application developers who use Redwood. We will do as much as we can, but we can only do so much.