1350880 - angular.js is over a year old, please upgrade to a current version

Status: RESOLVED INVALID

(support.mozilla.org - Lithium :: General, enhancement, P1)

Description

[Roland Tanglao needinfo please :rolandtanglao, :mohnkuchen, :adobo, :sinigang, :roland]

From :april
"
Also, I notice that Lithium seems to be running a very old version of AngularJS (1.4.8), which has a handful of security issues.  Is there a reason it needs to be running such a dated version?"

AngularJS is from November 20, 2015, https://code.angularjs.org/

As of March 27, 2017 current Version is 1.6.x first released on in December 2016

Comment 1

[Roland Tanglao needinfo please :rolandtanglao, :mohnkuchen, :adobo, :sinigang, :roland]

initial discussion about angular.js was on the HSTS bug

here is the request to lithium in their support system:

QUOTE from https://supportcases.lithium.com/50061000009MCTs

Created By: Roland Tanglao (3/9/2017 9:49 PM)
Hi Kris: Regarding your comment (3/7/2017 4:09 PM):
...
from april:
Also, I notice that Lithium seems to be running a very old version of AngularJS (1.4.8), which has a handful of security issues. Is there a reason it needs to be running such a dated version?"

c) Can lithium upgrade to latest stable version of angular and does that remove the requirement for unsafe-eval? if so can we do that know or do we have to wait until the next monthly update 

END QUOTE

Comment 2

[April King [:April]]

There has been a lot of work around sandboxing (1.6.0+) and what not in AngularJS.  I'm not sure if there are any active vulnerabilities in Lithium, but AngularJS is a frequent target and being very far behind the head version of a large JavaScript framework like Angular usually makes it painful and difficult to upgrade should there be any new findings.

I don't think newer versions get around the eval thing, though.  :(

It's not an emergency, but it's a good sign when your vendor is staying on top of these kinds of updates.