Security Patches after EOL?

[dambrosiomike]

AngularJS is in LTS mode

We are no longer accepting changes that are not critical bug fixes into this project.
See https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c for more detail.

I'm submitting a ...

• regression from 1.7.0
• security issue
• issue caused by a new browser version
• other

Current behavior:

Expected / new behavior:

N/A

Minimal reproduction of the problem with instructions:

N/A

AngularJS version: 1.7.x

N/A

Browser: [all | Chrome XX | Firefox XX | Edge XX | IE XX | Safari XX | Mobile Chrome XX | Android X.X Web Browser | iOS XX Safari | iOS XX UIWebView | iOS XX WKWebView | Opera XX ]

N/A

Anything else:

I know the guidelines say to submit questions to stack overflow but this is a direct question for the current maintainers of the AngularJS framework and the community.

As we all know, AngularJS is reaching EOL at the end of June 2021. With that, my understanding is that the AngularJS team won't support the framework anymore, including fixing security vulnerabilities.

As I work for a Large Corporation(™) I have the pleasure of being required to maintain various compliance standards. One of these states that we cannot use any library or framework that is no longer maintained. In our use case, it means that we only need to ensure that security patches are applied in order to maintain our compliance standing.

What I wanted to know is whether or not there were any plans for this project to be handed over to another entity for security updates. I understand that this is open source and that folks can fork the project, but I wanted to understand my options (as we have about 200k lines of code leveraging AngularJS).

I know that for other things, like Python 2, there are companies offering support contracts past the EOL date that can be purchased for enterprise usage. Is this something that is going to happen for AngularJS or will we be able to maintain the framework past EOL for free?

Thanks again, and apologies for filing this in the wrong place.

[wuzhenda]

I think the angularjs is better than angular,hope some organization continue to support angularjs.

[ravisalunkhe85]

+1

[SFoster84]

Personally, I love AngularJS, it's been my framework of choice for a while (there's a simplicity to it that is not replicated in Angular IMHO) - plus, it has a wide variety of plugins which not all have been replaced with angular versions.

That said, it's going to be rough going to stick with it, like python2, authors will drop support for their plugins, and the framework will fall out of date, I think most corporate settings will have to have migration plans either to upgrade their projects or move their customers to other applications/services and in some cases they may have to discontinue support for things they're providing now.

Fortunately 2021 gives you some time, but I think regardless of what people feel about the framework, EOL has a fairly predicable outcome and the only other option will be if someone can make a business supporting and patching AngularJS they way Python2 companies like ActiveState are attempting, but it's a gamble that a company or companies can make a viable businesses supporting AngularJS.

[LordDashMe]

+1

[GuzmanPI]

Amazing news for all the AngularJS Projects out there! 👏🏾

[aaronfrost]

There is now an offering to support security patches to AngularJS after the LTS is over. You can find out more here: xlts.dev/angularjs. It was introduced at ng-conf: Hardwired this year.

[nightmarez]

There is now an offering to support security patches to AngularJS after the LTS is over.

They want money 👎

[philgriffin]

Can anyone explain what versions are currently in support?

https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

[mgol]

Can anyone explain what versions are currently in support?

https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

Only versions listed there are supported in any way. 1.4 is not supported.

[philgriffin]

Can anyone explain what versions are currently in support?
https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

Only versions listed there are supported in any way. 1.4 is not supported.

Thanks, that was my assumption given their omission but wanted to check.

I'm here because angular v>2 can't do runtime compilation. I'm storing templates on a blob and needs to be rendered at runtime. and migrating my code here is faster than migrating my code to react. angular/angular#15275 (comment)

Looking at angularjs, it is really good. It has room for performance optimization like modular loading of the ng core module. I just hope it stays stable even after LTS. and hopefully be immortalized like jquery.

[bertysentry]

You're not alone!

I'm sure there are people willing to maintain this open source project for free. Why the Angular team wouldn't let users take over officially?

It's a beautiful project, which has been transformative for the entire Web development community (much like jQuery). It still has thousands of projects relying on it. And these projects are not going to be migrated to Angular2/4/5/6/7/8 (they would have done so already).

If the Angular team is really going to give up on AngularJS, we need them to coordinate the takeover effort so that another team can officially maintain the project.

[noahlz]

Why the Angular team wouldn't let users take over officially?

...It's open source? You can certainly fork the project...? This has happened with many other widely-adopted OSS projects such as MariaDB (fork of MySQL), Crossroads I/O (fork of ZeroMQ), etc.

As for XLTS.dev wanting money for security fixes of AngularJS post-EOL.... what is wrong with experts being compensated for their work...? I'm struggling to see the issue there.

[petebacondarwin]

If the Angular team is really going to give up on AngularJS, we need them to coordinate the takeover effort so that another team can officially maintain the project.

The Angular team currently has no intention of officially passing the project to a new maintainer. Since it is open source, it is possible to fork and setup your own ongoing maintenance of this project. Since it is in LTS (and shortly EOL) there are no expected upstream changes that you would need to keep in sync with.