Hi Moritz, On Mon, Jul 11, 2022 at 9:27 PM Moritz Mühlenhoff <j...@inutil.org> wrote: > The following vulnerability was published for angular.js. > > CVE-2022-25844[0]: I don't think this will be fixed officially.
> Notably, the website states that AngularJS support ended in January 2022 > and that angular.io is the successor? Quick timeline for clarification. Indeed, Angular.io is the successor of AngularJS. I think it was first released in 2016. That time upstream, Google stated the support of AngularJS will end in January, 2018. Maybe because big projects were still using it, the support was extended to January, 2022 (this year). This time it really finished, the projects remained online but read-only. The successor, Angular.io still lives and is developed. I don't have numbers, but it seems enough big projects still use AngularJS, at least two commercial companies still support it (one to the end of [?] 2023, the other till 2027 as I know) for money of course. That is, I doubt the fix will be publicly available. Google already supported it for six years after it was deprecated. What's the option of the Security Team? Should I wait for long if a fix becomes available or simply ask for the removal of the package in some months? Regards, Laszlo/GCS
