There's a merged pull request on the void-packages repository

lurch: revert patch from #26757
https://github.com/void-linux/void-packages/pull/26843

Description:
The patch was erroneously applied after a github user claimed it to be
a security issue, and later it was determined that this user was going
around tricking various projects into applying their patch that had
been exlicitly declined by upstream (xsf/xeps#894).

There's probably a dialog to happen here around relative security of
accepting unverified patches in the name of 'security' but this is
neither the time nor the place.