According to their git repository[1] the last time they updated the WebKitGTK library was half a year ago. In the meantime there have been multiple upstream releases, fixing multiple security vulnerabilities[2-6]. Or does this git mirror not reflect the current state of the version they're shipping?

[1] https://git.centos.org/rpms/webkit2gtk3/commits/c8 [2] https://webkitgtk.org/security/WSA-2020-0001.html [3] https://webkitgtk.org/security/WSA-2020-0002.html [4] https://webkitgtk.org/security/WSA-2020-0003.html [5] https://webkitgtk.org/security/WSA-2020-0004.html [6] https://webkitgtk.org/security/WSA-2020-0005.html

Looks like that package is part of the AppStream collection and therefore does not have the same guarantees as the core packages. That's at least what some quick googling told me.

RHEL and CentOS have pretty good backporting support for packages that they support, but most installs of them that I have seen use/include packages from other collections that are not supported, which is of course the wrong way to do it.