Azle is still in beta, but as we get closer to the 1.0 release we feel it is appropriate to begin to take security and other issues more seriously.
Recently we discovered a dangerous bug in setTimer. Calling setTimer in Azle versions 0.27.0, 0.28.0, and 0.29.0 causes an immediate infinite loop of timers.
The issue has been fixed as of Azle 0.30.0. Please upgrade ASAP if you use setTimer.
For the advisory to be accepted into GHSA db and have the benefit of dependabot PRs for the affected repos, I would suggest adding the PR reference where the fix was added to the repo. This is usually reviewed by Github when they induct the advisory. (It’s not a strict requirement though). For example, the agent-js advisory.
You could request Github for a CVE in the advisory so you have single identifier to track the bug.
I didn’t see any field for adding a link to the PR, are you suggesting I should put a link to the PR in the text body of the advisory under References?