Description
As much as I'd like people to always upgrade to the newest TypeDoc version when it's released, or shortly after, this isn't always feasible for some projects, which are either stuck on old TypeScript versions or don't have enough dedicated time to resolve any breaking changes.
My policy for support for old versions has always been "upgrade or perish", but despite that, there are a significant number of projects using an old version of TypeDoc. Here's the data from npm for this past week.
In the interest of not totally leaving old projects to die, lots of projects will do security updates for older versions for some period of time. I've said before that I don't have the time to maintain old versions, which remains true, but I'm open to creating a branch for one or maybe two prior minor versions, which will accept patches to fix security vulnerabilities only.
My concerns:
- Continuing to support older versions will lead to an increase of bug reports for unsupported versions.
- Accepting patches for security issues will be construed to mean that vulnerabilities will be fixed on discovery for old versions by a maintainer.
- Partial support for old versions will encourage people to remain on older versions even when an upgrade is available.
It is also worth mentioning here that TypeDoc is (almost always) a development dependency. A vulnerability in it will not affect a production version of your application. A "high severity" vulnerability in Marked (GHSA-rrrm-qjm4-v8hf) can only actually cause you problems if you're running TypeDoc on code which re-exports elements from modules not under your control.
Comments? Mitigation strategies? Things I've missed?
Ref: #1854, cc @bennycode