Reputation: 21
Vulnerability support for outdated Angular versions
A critical vulnerability(CVE-2024-21490) was identified in Angular 14, which is currently not supported under the Long-Term Support (LTS) policy but later got a confirmation from the CAST team that it is a false positive.
Could anyone please clarify if Angular will provide any level of support, such as critical bug fixes or security patches, for this non-supported version in case of such critical vulnerabilities in future because we had just upgraded our angular version from 9 to 14 and we can't just keep upgrading each time incase of a vulnerability as it's a large effort required from our team for this.
Had raised a ticket initially for mentioned vulnerability in @angular/core repository but they had informed that my angular version is not supported currently. So what's the next steps to perform if a vulnerability arises for non-supported version of Angular?
Upvotes: 2
Views: 755
Answers (1)
Reputation: 54569
CVE-2024-21490 only affects AngularJS not Angular (2+).
Right now, the Angular team only provide security fixes for LTS versions (which are the 2 previous versions, current v15 & v16).
HeroDevs is known to provide support for non-supported versions.
Upvotes: 1
Related Questions
- How to detect when an @Input() value changes in Angular?
- Angular: conditional class with *ngClass
- Angular 6 - Could not find module "@angular-devkit/build-angular"
- Secure hash and salt for PHP passwords
- How to handle path traversal vulnerability in webpack-dev-middleware with Vue CLI dependency constraints?
- Angular/RxJS When should I unsubscribe from `Subscription`
- Angular HTML binding
- Why is char[] preferred over String for passwords?
- Huge number of files generated for every Angular project
- How should I ethically approach user password storage for later plaintext retrieval?