2.x security update cycle
-
Do you have a timeline for when 2.x support will end in terms of receiving security updates?
Also I can see that webpack and socket.io versions were updated in March to protect against some identified vulnerabilities in v3. Is this likely to be rolled out to v2 as well? We could manually update these via package.json providing there's no breaking changes but wanted to check here first.
-
Likely if webpack and socket.io were updated, they were done so automatically via dependabot, although the actual merging is purposefully manual.
v2.x will continue to receive updates for at least a year, although I don't think we have discussed this internally. We have many users still using v2.x, so it would be rather unwise to pull support for it right now
If the version upgrades are patch versions, then it is probably safe to update (unless they accidentally snuck a breaking change in it).
-
Great thanks @julian , It was just that I noticed that npm audit still shows those vulnerabilities in version 2 but version 3 is okay.
