Source: mozjs52 Version: 52.3.1-4 Severity: normal Control: block -1 by 878359 X-Debbugs-Cc: secur...@debian.org
mozjs52 has an embedded code copy of libicu. (The same is true for firefox-esr and firefox.) It is newer than the current system copy, so it is not necessarily safe to stop using it right now. When icu >= 58 reaches testing/unstable (#878359), mozjs52 can hopefully depend on it as a system library instead, closing this bug in the process. This would also allow removing a lot of hacks from the mozjs52 packaging. The major user of mozjs52 is going to be gjs, which is not a security boundary (it's JavaScript-as-extension-language, the same role that Lua frequently takes, rather than JavaScript-as-web-content) so this is probably not security-sensitive for gjs, but it might become security-sensitive if other packages migrate from mozjs or mozjs24 to mozjs52. smcv