Angular.js: Security Patches after EOL?

Created on 12 Aug 2019 · 12Comments · Source: angular/angular.js

AngularJS is in LTS mode

We are no longer accepting changes that are not critical bug fixes into this project.
See https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c for more detail.

I'm submitting a ...

[ ] regression from 1.7.0
[ ] security issue
[ ] issue caused by a new browser version
[x] other

Current behavior:

Expected / new behavior:

N/A

Minimal reproduction of the problem with instructions:

N/A

AngularJS version: 1.7.x

N/A

Anything else:

I know the guidelines say to submit questions to stack overflow but this is a direct question for the current maintainers of the AngularJS framework and the community.

As we all know, AngularJS is reaching EOL at the end of June 2021. With that, my understanding is that the AngularJS team won't support the framework anymore, including fixing security vulnerabilities.

As I work for a Large Corporation(™) I have the pleasure of being required to maintain various compliance standards. One of these states that we cannot use any library or framework that is no longer maintained. In our use case, it means that we only need to ensure that security patches are applied in order to maintain our compliance standing.

What I wanted to know is whether or not there were any plans for this project to be handed over to another entity for security updates. I understand that this is open source and that folks can fork the project, but I wanted to understand my options (as we have about 200k lines of code leveraging AngularJS).

I know that for other things, like Python 2, there are companies offering support contracts past the EOL date that can be purchased for enterprise usage. Is this something that is going to happen for AngularJS or will we be able to maintain the framework past EOL for free?

Thanks again, and apologies for filing this in the wrong place.

Source

dambrosiomike

👍15

Most helpful comment

I think the angularjs is better than angular,hope some organization continue to support angularjs.

wuzhenda on 13 Aug 2019

👍26 👎3

All 12 comments

I think the angularjs is better than angular,hope some organization continue to support angularjs.

wuzhenda on 13 Aug 2019

👍26 👎3

ravisalunkhe85 on 4 Sep 2019

Personally, I love AngularJS, it's been my framework of choice for a while (there's a simplicity to it that is not replicated in Angular IMHO) - plus, it has a wide variety of plugins which not all have been replaced with angular versions.

That said, it's going to be rough going to stick with it, like python2, authors will drop support for their plugins, and the framework will fall out of date, I think most corporate settings will have to have migration plans either to upgrade their projects or move their customers to other applications/services and in some cases they may have to discontinue support for things they're providing now.

Fortunately 2021 gives you some time, but I think regardless of what people feel about the framework, EOL has a fairly predicable outcome and the only other option will be if someone can make a business supporting and patching AngularJS they way Python2 companies like ActiveState are attempting, but it's a gamble that a company or companies can make a viable businesses supporting AngularJS.

SFoster84 on 12 Oct 2019

👍4 😄1

LordDashMe on 5 Jun 2020

Amazing news for all the AngularJS Projects out there! 👏🏾

GuzmanPI on 10 Jun 2020

There is now an offering to support security patches to AngularJS after the LTS is over. You can find out more here: angularjs.xlts.dev. It was introduced at ng-conf: Hardwired this year.

aaronfrost on 13 Jun 2020

There is now an offering to support security patches to AngularJS after the LTS is over.

They want money 👎

NightmareZ on 23 Jul 2020

Can anyone explain what versions are currently in support?

https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

philgriffin on 5 Aug 2020

Can anyone explain what versions are currently in support?

https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

Only versions listed there are supported in any way. 1.4 is not supported.

mgol on 5 Aug 2020

👍1

Can anyone explain what versions are currently in support?
https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

Only versions listed there are supported in any way. 1.4 is not supported.

Thanks, that was my assumption given their omission but wanted to check.

philgriffin on 5 Aug 2020

I'm here because angular v>2 can't do runtime compilation. I'm storing templates on a blob and needs to be rendered at runtime. and migrating my code here is faster than migrating my code to react. https://github.com/angular/angular/issues/15275#issue-215182323

Looking at angularjs, it is really good. It has room for performance optimization like modular loading of the ng core module. I just hope it stays stable even after LTS. and hopefully be immortalized like jquery.

hoksource on 23 Aug 2020

You're not alone!

I'm sure there are people willing to maintain this open source project for free. Why the Angular team wouldn't let users take over officially?

It's a beautiful project, which has been transformative for the entire Web development community (much like jQuery). It still has thousands of projects relying on it. And these projects are not going to be migrated to Angular2/4/5/6/7/8 (they would have done so already).

If the Angular team is really going to give up on AngularJS, we need them to coordinate the takeover effort so that another team can officially maintain the project.