How are package updates which resolve CVE’s handled?
For example, Palemoon-bin has a version bump to v28.13.0, which fixes several CVE’s. That version is in testing and unstable, but not in stable. Addition after split off from the manjaro build package version bump topic:
Nowadays it’s not a big issue for myself, since I install it via the AUR. However there is some annoyances after each system update, since the version of the community-repository gets aligned with the AUR one, thinking pacman that I’ve installed it via the community repository instead of via the AUR. Also pacman lacks the ability to prioritize sources per package, thus I keep getting annoyed with “warning: palemoon-bin: local (version-blah-blah) is newer than community (version-blah-blah)”