Hi Andreas, On 22.09.21 14:05, Andreas Tille wrote:
I'd like to add some comment to this package since I was personally quite unhappy to see this new dependency from code copies of what we have in Debian. However, this was only first sight, since we do not have jQuery version 1 and 2 any more and for the CRAN packages we also need to pin the minor version of version 3 code for the CRAN packages.
there is a reason why those older versions should not be part of Debian anymore.
They are no longer supported by upstream and do not get any security fixes.
After second thought about it these code copies are on one hand not worse than several others uncovered by my research
So please file bug against packages that contain open security issues. Thorsten