On Tue, Feb 28, 2017 at 02:28:28PM +0200, Adrian Bunk wrote:
> Control: severity -1 serious
>
> Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than
> 4 years old when stretch gets released.
>
> In the current state the package is really too buggy for shipping
> in a new stable release.
Note that nodejs will not be covered by security support in stretch (as it was
done for jessie already). We had initially considered it, but with
nodejs 6 not having it made into stretch, that's not realistic.
So these can be downgraded to non-RC (or if the release team thinks
nodejs should rather be remove from testing, removal is also an option
of course).
Cheers,
Moritz
