This repo operates on a rolling basis, with the last major version receiving security updates to the building process.
The only part of this repository that actually ends up in the enclave is the init process. Consider using AWS' init process too (which can be compiled from source) if you prefer to rely on their security policy.
You are welcome to report vulnerabilities for upstream dependencies' packages, but keep in mind you can update your dependencies yourself without updating aws-nitro-util by having it inherit another flake input. See the documentation for details.
You can responsibly disclose vulnerabilities to [email protected].