Update SA-CONTRIB-2018-053 in 7.x-2.x branch

I tried this moderately critical update of xmlsitemap 7.x-2.4 via drush composer require and it fails to update my exiting patch "add_support_for_entity_translation-1481798-76.patch" of 7.x-2.3.
Version updated to new but it throwing "Could not apply patch! Skipping."

Does anyone knows the reason to skip patch?

I ran the patch against 2.3 and got this output

patching file xmlsitemap_node/xmlsitemap_node.module
Hunk #1 succeeded at 17 (offset -5 lines).
Hunk #2 succeeded at 76 (offset -5 lines).
Hunk #3 FAILED at 227.
1 out of 3 hunks FAILED -- saving rejects to file xmlsitemap_node/xmlsitemap_node.module.rej

Against which version should I run the patch to get it working?

Are there any plans to release a stable version 2.4 of the module to check out with git / drush?

Thank you for the patch. I didn't realize there is a new commit on 2.x. I now just will use the dev version.
Is there a reason why not tag this state as stable 2.4? This was what confused me at the beginning.

There is a release with 2.4 but the 2.4 tag is missing in the 2.x branch see https://cgit.drupalcode.org/xmlsitemap/log/
This way I could not update with drush to 2.4 (using git). See the related issue I added.
Now I can update to dev version 2.x which includes the required commit. I just wondered why this is not tagged as 2.4.

Thanks for updating 7.x-2.x branch. This caused me major headaches yesterday as I couldn't easily re-roll necessary patches.

The tag is still missing.

Security releases should be as small as possible - so 2.4 not including all the other stuff is a good thing.

Now that 2.4 is released it would be a good idea to release 2.5 soon to avoid confusion what is and isn't released. We should also get #2986847: TypeError: Argument 1 passed to xmlsitemap_node_create_link() must be an instance of stdClass, boolean given in because the security release breaks cron runs in a critical way.

The git tag for 2.4 is not missing, you can see it at https://cgit.drupalcode.org/xmlsitemap/tag/?id=7.x-2.4

OK, I know there is a 2.4 release but it is not part of the 2.x HEAD branch and therefor drush and git fail to update to 2.4.
Having small security only fixes would require separate branches for dev and stable / security which is currently not working if using drush /git, right?
I think most projects are just committing a security fix on the dev branch and tag it with a "stable" version tag (here 2.4). This way drush / git is still working but you get all the dev commits with the security commit.
A solution might be to release the security fix as a patch against latest stable (here 2.3) so people who don't want all the pending dev commits can avoid them by just patching their version.
I don't know if there are any rules or guidelines by the drupal community how to do this.

The #2986847 issue seems to be a critical bugfix release related to this security fix. So I am looking forward to a new 2.5 release.

Thanks for your work.

The commit is now on the 7.x-2.x branch for one hour: https://cgit.drupalcode.org/xmlsitemap/log/

You do not have to have a branch for a git commit. The 7.x-2.4 tag was created without a branch.

Yeah sure. That's the problem I meant. Releasing just a tag with 2.4 leaves all people using drush /git to update their modules in the dark (which are quite a lot I assume) as the tag is not picked up if not in the HEAD 2.x branch.
This is the output when doing a drush up xmlsitemap

Name                      Installed Version  Proposed version  Message
 XML sitemap (xmlsitemap)  7.x-2.3            7.x-2.4           SECURITY UPDATE available


Update information last refreshed: Thu, 2018-07-19 08:53
Security updates will be made to the following projects: XML sitemap [xmlsitemap-7.x-2.4]

Note: A backup of your project will be stored to backups directory if it is not managed by a supported version control system.
Note: If you have made any modifications to any file that belongs to one of these projects, you will have to migrate those modifications after updating.
Do you really want to continue with the update process? (y/n): y
Unable to update xmlsitemap from git.drupal.org.                                                                                           [error]
Updating project xmlsitemap failed. Attempting to roll back to previously installed version.                                               [error]
Backups were restored successfully. 

.

Just for reference: The last 2.3 release from Dave Reid was also a security fix on top of all the dev commits.
https://www.drupal.org/project/xmlsitemap/releases/7.x-2.3