Security Patches after EOL?

[dambrosiomike]

AngularJS is in LTS mode

We are no longer accepting changes that are not critical bug fixes into this project. See https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c for more detail.

I'm submitting a ...

• [ ] regression from 1.7.0
• [ ] security issue
• [ ] issue caused by a new browser version
• [x] other

Current behavior:

Expected / new behavior:

N/A

Minimal reproduction of the problem with instructions:

N/A

AngularJS version: 1.7.x

N/A

Browser: [all | Chrome XX | Firefox XX | Edge XX | IE XX | Safari XX | Mobile Chrome XX | Android X.X Web Browser | iOS XX Safari | iOS XX UIWebView | iOS XX WKWebView | Opera XX ]

N/A

Anything else:

I know the guidelines say to submit questions to stack overflow but this is a direct question for the current maintainers of the AngularJS framework and the community.

As we all know, AngularJS is reaching EOL at the end of June 2021. With that, my understanding is that the AngularJS team won't support the framework anymore, including fixing security vulnerabilities.

As I work for a Large Corporation(™) I have the pleasure of being required to maintain various compliance standards. One of these states that we cannot use any library or framework that is no longer maintained. In our use case, it means that we only need to ensure that security patches are applied in order to maintain our compliance standing.

What I wanted to know is whether or not there were any plans for this project to be handed over to another entity for security updates. I understand that this is open source and that folks can fork the project, but I wanted to understand my options (as we have about 200k lines of code leveraging AngularJS).

I know that for other things, like Python 2, there are companies offering support contracts past the EOL date that can be purchased for enterprise usage. Is this something that is going to happen for AngularJS or will we be able to maintain the framework past EOL for free?

Thanks again, and apologies for filing this in the wrong place.

[wuzhenda]

I think the angularjs is better than angular,hope some organization continue to support angularjs.

[ravisalunkhe85]

+1

[SFoster84]

Personally, I love AngularJS, it's been my framework of choice for a while (there's a simplicity to it that is not replicated in Angular IMHO) - plus, it has a wide variety of plugins which not all have been replaced with angular versions.

That said, it's going to be rough going to stick with it, like python2, authors will drop support for their plugins, and the framework will fall out of date, I think most corporate settings will have to have migration plans either to upgrade their projects or move their customers to other applications/services and in some cases they may have to discontinue support for things they're providing now.

Fortunately 2021 gives you some time, but I think regardless of what people feel about the framework, EOL has a fairly predicable outcome and the only other option will be if someone can make a business supporting and patching AngularJS they way Python2 companies like ActiveState are attempting, but it's a gamble that a company or companies can make a viable businesses supporting AngularJS.

[LordDashMe]

+1

[GuzmanPI]

Amazing news for all the AngularJS Projects out there! 👏🏾

[aaronfrost]

There is now an offering to support security patches to AngularJS after the LTS is over. You can find out more here: xlts.dev/angularjs. It was introduced at ng-conf: Hardwired this year.

[nightmarez]

There is now an offering to support security patches to AngularJS after the LTS is over.

They want money 👎

[philgriffin]

Can anyone explain what versions are currently in support?

https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

[mgol]

Can anyone explain what versions are currently in support?

https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

Only versions listed there are supported in any way. 1.4 is not supported.

[philgriffin]

Can anyone explain what versions are currently in support? https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

Only versions listed there are supported in any way. 1.4 is not supported.

Thanks, that was my assumption given their omission but wanted to check.

[ghost]

I'm here because angular v>2 can't do runtime compilation. I'm storing templates on a blob and needs to be rendered at runtime. and migrating my code here is faster than migrating my code to react. https://github.com/angular/angular/issues/15275#issue-215182323

Looking at angularjs, it is really good. It has room for performance optimization like modular loading of the ng core module. I just hope it stays stable even after LTS. and hopefully be immortalized like jquery.

[bertysentry]

You're not alone!

I'm sure there are people willing to maintain this open source project for free. Why the Angular team wouldn't let users take over officially?

It's a beautiful project, which has been transformative for the entire Web development community (much like jQuery). It still has thousands of projects relying on it. And these projects are not going to be migrated to Angular2/4/5/6/7/8 (they would have done so already).

If the Angular team is really going to give up on AngularJS, we need them to coordinate the takeover effort so that another team can officially maintain the project.

[noahlz]

Why the Angular team wouldn't let users take over officially?

...It's open source? You can certainly fork the project...? This has happened with many other widely-adopted OSS projects such as MariaDB (fork of MySQL), Crossroads I/O (fork of ZeroMQ), etc.

As for XLTS.dev wanting money for security fixes of AngularJS post-EOL.... what is wrong with experts being compensated for their work...? I'm struggling to see the issue there.

[petebacondarwin]

If the Angular team is really going to give up on AngularJS, we need them to coordinate the takeover effort so that another team can officially maintain the project.

The Angular team currently has no intention of officially passing the project to a new maintainer. Since it is open source, it is possible to fork and setup your own ongoing maintenance of this project. Since it is in LTS (and shortly EOL) there are no expected upstream changes that you would need to keep in sync with.

[bertysentry]

@noahlz While I'm 100% with you on compensating people for their work, I hope you realize that having to pay for security fixes contradicts principles of both open source and security?

Also, having multiple forks of the repo with various minor updates and security fixes is just going to create uncertainty in the community of developers relying on this (awesome) framework.

I guess at some point the documentation site is going to be taken down as well, so do we need to archive that as well, just in case?

[noahlz]

I hope you realize that having to pay for security fixes contradicts principles of both open source and security?

Where in Open Source manifestos etc. does it say that when the core committers behind a project declare it End of Life that they should continue to provide critical security fixes for free? It's...end of life.

XLTS.dev is going to fork AngularJS and provide security fixes past end of life...They are asking to be compensated for this effort. I'm struggling to find a problem with being paid for labor.

If another person / team wants to fork AngularJS and provide the same CVE fixes for free ... I'm sure the community would be very excited for that!

[petebacondarwin]

I guess at some point the documentation site is going to be taken down as well, so do we need to archive that as well, just in case?

There are no plans to take down this site.

The good news is that it is very easy to generate and host the documentation locally. The following should do it:

git clone https://github.com/angular/angular.js
cd angular.js
yarn
yarn grunt package
yarn grunt webserver

Then you can access the docs at localhost:8000/build/docs

[bertysentry]

Geez @noahlz! What percentage of the thousands of developers using AngularJS will subscribe to this maintenance service? My guess: a small fraction. The rest will either migrate to Vue.js (and pray it doesn't go the same route), or simply keep unpatched AngularJS (because of lack of knowledge, lack of will, lack of expertise, lack of time, etc.), with vulnerabilities well documented for "bad guys" to use it.

IMO Google could have taken over officially (and subcontracted to XLTS if they don't have the resources to do it internally). But I'm not going to keep deluding myself here: looks like the end of the road for AngularJS. 😥

[noahlz]

https://angular.io/guide/upgrade

The economics of Open Source are certainly something!

[AlonBe]

@bertysentry, take a look at the the facts:

1. Angular 2 first release candidate was published in May 2016.
2. AngularJS author, Google, annouced in January 2018 that AngularJS will enter a 3 year Long Term Support period (e.g. end-of-life in 3 years, there was an extension to December 31 2021 due to Covid-19).

So as I see it, Google published a newer version 5+ years ago. (warning No.1 to anyone who uses Angular 1.X AKA AngularJS) In addition, they told the entire community that in 2021 AngularJS will enter its EOL (warning No.2)

That's how open source works and the author did its best to prompt about it years in advance. So I don't see anything wrong here. applications which still depends on out-of-dated libraries should take that into consideration and act accordingly years in advance, or fork\pay to any experts if they decide to still depend on that library.

You just said it: EOL (end-of-life) is exactly the end of the road for AngularJS. Nothing wrong here 🤷‍♂️

[bertysentry]

@AlonBe I know the story of Angular 2: it was no longer Google, it was a fresh reboot, they started from scratch, and AngularJS users didn't like it. There was no migration path and the ecosystem was weak. Angular itself saw major breaking changes later on.

You guys are right though: nobody paid nothing to Google for AngularJS, therefore they owe us nothing at all. So they did nothing wrong, and I'm thankful they created this excellent UI framework and provided it for free to anyone.

I just wish Google would take a page from Microsoft's book: years after the official extended end-of-life of Windows XP, Microsoft still provided critical security patches to the venerable OS. Just because it would make the overall Internet safer (and because people were pointing their finger at them).

Now, long life to VueJS.

[glauberramos]

Any plan to have an open-source version with fixes for security issues after EOL? That would be very good for the thousands of applications still using angularJs