Yes, they released a new feature so theres new code. The only way that violates open-source is if this code has been in production, which no one has any proof of.
Apparently everyone thinks opensource means real time access to development.
Please re-read my comment four posts upthread. It's possible that this code wasn't in production; if so, there were known vulnerabilities left open for months.
how did they hide anything? do you know this code has been in production?