This project does not rebuild/release to "fix" CVEs which do not apply to actual builds of gosu. For example, this includes any CVE in Go which applies to interfaces that gosu does not ever invoke, such as net/http, archive/tar, encoding/xml, etc.
Before reporting that gosu is "vulnerable" to a particular CVE, please run our ./govulncheck-with-excludes.sh wrapper around govulncheck to determine whether the latest release is actually using the vulnerable functionality. See this excellent blog post from the Go team for more information about the govulncheck tool and the methodology by which it is maintained.
If you have a tool which is reporting that gosu is vulnerable to a particular CVE but govulncheck does not agree, please report this as a false positive to your CVE scanning vendor so that they can improve their tooling. (If you wish to verify that your reported CVE is part of govulncheck's dataset and thus covered by their tool, you can check the vulndb repository where they track those.)
Our govulncheck wrapper script (govulncheck-with-excludes.sh) may include a small set of vulnerabilities that will be reported by govulncheck which do not apply (due to other mitigations or otherwise). See comments in that script for details.
Similar to the how traditional Linux distributions such as Debian handle rebuilding binaries between stable releases / for updated compilers (or rather, the situations and reasons for which they do not do so), and in the same spirit as the above CVE policy and Go's "Minimal Version Selection", we do not update the compiler/rebuild with a newer compiler unless there is a compelling functional or security reason in the code that ends up as part of the gosu binary that warrants doing so.
As above, if you have a "security scanning" tool which does not agree with this policy, please take that up with your scanning tool vendor (report as a false positive, improve the tool to use govulncheck, etc).
The surface area of gosu itself is really limited -- it only directly contains a small amount of Go code to instrument an interface that is part of github.com/moby/sys/user (the Docker Engine's --user parsing code, to be exact) (and which itself is a pretty limited interface) intended for providing the same behavior as Docker's --user flag (switching from root to a less privileged user), but from within an already running container.
If you believe you have found a new vulnerability in gosu, chances are very high that it's actually a vulnerability in github.com/moby/sys/user or golang.org/x/sys, and should be reported appropriately and responsibly.
After all this, if you still believe you have discovered a novel vulnerability in the limited code that is gosu itself, please use GitHub's (private) advisory reporting feature to responsibly report it.