CVE-2022-39209 is not fixed. Please replace the vendored cmark-gfm library with the Debian package and help its
maintainer to import the new upstream version.
Also, the homepage should be relaced with https://kde.github.io/ghostwriter and the watch file should scan GitHub's tags
page instead of releases (does not work anymore).
I do not see the corresponding source for a lot of minified JavaScript files in
3rdparty/MathJax/bin.
You try to override the lintian msg in debian/source/lintian-overrides but do
not give a reason for it.
