Source: angular.js Version: 1.8.3-3 Severity: serious Justification: not fit for Debian stable release; should not be released with Debian forky X-Debbugs-Cc: "László Böszörményi (GCS)" <[email protected]>, Bastien ROUCARIÈS <[email protected]>, [email protected], [email protected], [email protected]
Hi As discussed with László, filling a 'blocking bug' for Debian forky for src:angular.js to make sure we have a flag raised to (try) not to release Debian forky with the ancient angular.js version. While upstream was rewritten, Angular get regularly CVEs, where determining if the ancient version is affected as well involves substantial work. If it becomes unrealistic to get it removed or replaced accordingly we might re-evaluate towards the forky release (in sync with the release team obviously). Upstream support for AngularJS already ended on 7th April, 2022 and assuming Debian forky to be released in 2027, we already start with a 5 years unsupported still shipped AngularJS version. Regards, Salvatore

