Package: release.debian.org Severity: important X-Debbugs-Cc: pkg-a11y-de...@alioth-lists.debian.net
Hi QuickJS has two CVEs, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255 . Upstream has fixed the CVEs in a new version that at the same time makes an API-incompatible change. Backporting the CVEs can be riskier packaging the new upstream version. The currently only downstream users of QuickJS is Edgbrowse which statically links to QuickJS and is also affected by the API change. In an attempt to close the CVEs, I've uploaded the latest QuickJs 2025.04.26 and would now need to upload the already packaged Edbrowse (see SALSA). I suppose this is against the release plan/policy, hence I'm raising it here. As I said, I believe it will be easier for Trixie to get the latest versions into Debian, as this will decrease the maintenance burden, especially in the case of future CVEs. Thanks
signature.asc
Description: PGP signature
