I don't know how to word this so I'll say it bluntly (and probably bear the blunt of this community as a consequence): If you're a developer of a project that is used in a security-sensitive context, you either be receptive to security concerns or you clearly label your project as a toy project.
No one expects you to write perfect code, but we do expect you to fix flaws when you learn about them.
Of course, you could do neither, but don't be surprised when people call you out on it.
According to https://github.com/actix/actix-web, it appears that the author did accept the security concerns (when an actual use-after-free was found, but maybe not the previous, generic “unsafe oh noz” shitstorms), and wanted to explore some other way to fix the problem instead of accepting the patch as is.
Just because there’s a patch that fixes the issue doesn’t mean the maintainer has to merge that patch.