I definitely have empathy for OSS maintainers but getting to the bottom of what was going on here was a rollercoaster.

They mentioned Google Project Zero “breathing down our necks” but then later said Google Project Zero hadn’t even reported anything this year:

> That said, Project Zero has notably reported zero security vulnerabilities in libxml2 since the start of this year.