What is the recommended sequence of actions after discovering a vulnerability in a dependency in GAS?

When a vulnerability in a dependency is found in GAS, the safest and most effective path is a coordinated remediation flow that informs users, delivers a verified fix, and keeps monitoring for new issues. Start by creating or updating a security advisory that clearly explains what’s vulnerable, which versions are affected, and what the recommended remediation is. Then work with the dependency maintainers to confirm the fix approach—whether that’s upgrading to a patched version or applying a patch—and align on timelines. Implement the remediation in your project by upgrading the dependency or applying the patch. Next, test the changes thoroughly to verify the vulnerability is resolved and to catch any new issues the fix might introduce. Once testing passes, publish the advisory and the remediation details so users know how to respond and what to upgrade. Finally, monitor for new reports, exploit activity, or related advisories to ensure the vulnerability remains mitigated and to issue additional guidance if needed. This sequence ensures a credible fix is available, communication is accurate, and risk is minimized for users; skipping testing, ignoring non-critical cases, or replacing the entire project would be unnecessarily disruptive and less effective.