[Pkg-javascript-devel] Potential MBF: Migration from twitter-bootstrap{3, 4} to bootstrap-html (v5)
Paul Gevers
elbrus at debian.org
Thu Feb 6 08:21:46 GMT 2025
Hi Security team, Santiago,
On 03-02-2025 23:49, Santiago Ruano Rincón wrote:
> You may be probably be aware that I filled the bootstrap v5
> migration-related bugs, that can be listed with:
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5-migration;users=debian-lts@lists.debian.org
>
> Do you believe their severity could be increased? If yes, to important,
> to grave?
>
> It would be great to get rid of the dependencies on those unmaintained
> bootstrap versions, whose outstanding (minor-severity) CVEs are
> difficult to get fixed, and it will be the case for any future issue.
> https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3
> https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4
>
> The time for fixing all of those dependencies is probably too short for
> trixie. But I would bring it for discussion.
@Santiago, are there key packages involved in this? If so, which?
What's the opinion of the security team on this? I want to follow your
lead here. If you think it's better from a security standpoint to not
have this in trixie, I'm fine with raising severity now (assuming no key
packages are involved).
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250206/7b10be80/attachment.sig>
More information about the Pkg-javascript-devel
mailing list