On Tue, May 6, 2025 at 4:41 PM Sylvain Beucler <[email protected]> wrote: > I just noticed that angular.js is EOL'd by Google since 2022. Indeed, it was replaced by angular.io which was packaged once I believe. But couldn't find its trace at all. There's AngularJS Long-Term Support [1] till 2030, but that's not open source. The other one is called NES (Never-Ending Support) [2] which is also not open source. Maybe the above solutions cause that (I don't know how valid) sources state that in Angular land 29% of the use case is still AngularJS.
> AFAICS none of the 9 CVEs reported since had a fix: > https://security-tracker.debian.org/tracker/source-package/angular.js > https://deb.freexian.com/extended-lts/tracker/source-package/angular.js Then maybe more. There's alternative vulnerability directories [3], I don't know how authentic. > Discussion on the first Debian bug suggested attempting to drop the > package entirely in trixie (though that didn't seem to have happened): > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014779 I think it can be dropped. There are two packages using it, libjs-angular-gettext and libjs-angularjs-smart-table. Need to investigate if those can be removed as well. Please note OpenStack in Debian is even more vulnerable to AngularJS issues: python-xstatic-angular and python-xstatic-angular-* in general even using an older, v1.8.2 version of it. The last upstream release is 1.8.3 and I don't remember if it has meaningful changes since the 1.8.2 one. Hope this helps give more view into the situation. Laszlo/GCS [1] https://www.openlogic.com/solutions/angularjs-support-and-services [2] https://www.herodevs.com/support/nes-angularjs [3] https://www.herodevs.com/vulnerability-directory?framework=AngularJS
