[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: angular.js: EOL?

On Tue, May 6, 2025 at 4:41 PM Sylvain Beucler <beuc@beuc.net> wrote:
> I just noticed that angular.js is EOL'd by Google since 2022.
 Indeed, it was replaced by angular.io which was packaged once I
believe. But couldn't find its trace at all.
There's AngularJS Long-Term Support [1] till 2030, but that's not open
source. The other one is called NES (Never-Ending Support) [2] which
is also not open source.
Maybe the above solutions cause that (I don't know how valid) sources
state that in Angular land 29% of the use case is still AngularJS.

> AFAICS none of the 9 CVEs reported since had a fix:
> https://security-tracker.debian.org/tracker/source-package/angular.js
> https://deb.freexian.com/extended-lts/tracker/source-package/angular.js
 Then maybe more. There's alternative vulnerability directories [3], I
don't know how authentic.

> Discussion on the first Debian bug suggested attempting to drop the
> package entirely in trixie (though that didn't seem to have happened):
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014779
 I think it can be dropped. There are two packages using it,
libjs-angular-gettext and libjs-angularjs-smart-table. Need to
investigate if those can be removed as well.
Please note OpenStack in Debian is even more vulnerable to AngularJS
issues: python-xstatic-angular and python-xstatic-angular-* in general
even using an older, v1.8.2 version of it. The last upstream release
is 1.8.3 and I don't remember if it has meaningful changes since the
1.8.2 one.

Hope this helps give more view into the situation.
Laszlo/GCS
[1] https://www.openlogic.com/solutions/angularjs-support-and-services
[2] https://www.herodevs.com/support/nes-angularjs
[3] https://www.herodevs.com/vulnerability-directory?framework=AngularJS
Reply to: