Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
luci-app-bmx6: drop this because of security vulnerabilities
DependencyBot, which are using is sending us emails about these CVEs: CVE-2012-6708 CVE-2020-23064 CVE-2019-11358 This was reported to maintainer in April 2023, but no one stepped it to fix that, so let's drop this. Replacement could be luci-app-bmx7. Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
- Loading branch information
c2124dd
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May we have the opportunity to add the package back if I fix these vulnerabilities? @BKPepe
c2124dd
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mhm.., I was thinking about that, but no. I need to be strict and honest with you. Those vulnerabilities were left here for almost 6 month without any attention. We were getting weekly reports about new vulnerabilities and also it got our attention when we pushed something to the master branch via CLI. Okay, that's one thing. Why does only this app need to bundle jquery? It is not sufficient to fix that. It needs to be refactored because no apps are bundling it in the LuCI repository. The other thing is that there were a few issues reported to us in this repository about this package, and no one has cared about that for 2-3 years.
To sum it up - no, this package is not maintained here, bmx6 has not received any new commits since 2018 (sorry, I don't count fixing smth in README about Wikipedia's URL).
To me, overall, it is dead. There's no point to revive it. Switch to bmx7, if possible.