CVEs in Orion’s Release Notes

bogdanw

Orion’s Release Notes should include the CVEs that have been fixed.
Orion’s Release Notes just say “Latest WebKit”, but it’s not clear if a particular vulnerability has been addressed or not.
At the moment, Orion RC 0.99.134.2 released on 17 July 2025 and Orion Beta 0.99.135 released on 29 July 2025 both have “Latest WebKit 622.1.15.19.2 (macOS 14+)”.
Does that include the fix for CVE-2025-6558? Included in Chrome on 15 July 2025 and Safari 18.6 on 29/30 July 2025.

More, the WebKit version is not explained in the documentation. What does “Latest WebKit” mean?
The latest Safari Technology Preview is 21622.1.20.1, the latest Safari beta is 20622.1.19.29.2.
Safari beta 20622.1.18 was released on 7 July 2025 and Safari 18.6 is 20621.3.11.11.3.

Users would know if Orion is vulnerable to a particular vulnerability that has been made public and sometimes is actively exploited.

CyberSphinx

I think this is a great idea, although there haven't been any orion exclusive CVEs yet.

Yannick

I think it'd be nice, but since it’s an open‑source project that isn’t ours, we’ll focus on our own stuff that already takes up a lot of our time 😉
We'll let folks know which WebKit version is active and let the curious users figure it out themselves