Can Vue 2 (or any other front-end framework) be sustainability (securely) used after End-Of-Life (EOL)?

Question

When using Vue as a detached SPA, surely there aren't going to be any major 'vulnerabilities' discovered after its EOL in Dec 2023.

My use of Vue is as a detached front-end SPA, with an Express REST API backend, practically all the 'risk' is in the back-end, so I imagine if I have properly configured my front-end (use of env variables etc.), Vue 2.7 should still be production-ready well into 2030? Whether it should be used up to 2030 is a different question.

I have business-legitimate and personal reasons not to upgrade to Vue 3.x. Most people upgrade because the ecosystem followed Vue 3, I only rely on Vue-CLI and my Vue 2 codebase is too large to refactor without security motivations.

This is a difficult question because most software isn't capable of being used as a detached front-end, therefore there isn't a lot of evidence available from what I've gathered on the internet about security vulnerabilities for this kind of framework, post EOL.

Answer 1

I wouldn't bet such thing on a JS framework, you never know what may happen. Especially since if Vue uses a dependency of some sort (like lodash or whatever) and it's get's some vulnerability, you will not have an upgrade I guess.

So yeah, probably not a good idea to bet on JS for long term apps. But at the same time, as you said: there is nothing that critical into a client side JS framework.

It all depends on what you gonna use it with/packages around Vue too.

Using some backend to render the views will be safer (then adding some vanilla JS on top of it to replicate SPA's behavior). Otherwise, everything that is far from JS and more on the server side will be safer for sure.

TLDR: JS requires maintenance.