Package: nodejs Followup-For: Bug #989266 Hi,
> This version has security issues, which have been fixed with 12.21.1 - > see > https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.22.1 well actually 12.21.1 security issues don't apply to nodejs 12.21.0~dfsg-4. This fact has been checked by the security team and by nodejs maintainer. > Also, the upstream maintenance support for Version 12 will end in > April 2022, meaning, the Debian Security Team and/or maintainer will > have the sole responsibility to keep this package secure from then on, > with no support from upstream, if it will be delivered like this with > bullseye. True. However, it is simply not possible to move to node 14 without updating all of the modules currently in debian, potentially breaking applications using them, etc. This has to be an orchestrated work, involving many debian maintainers - most of them on their free time. Nodejs 14 will be for bullseyes+1, and it's at least one year too late to change that. On the other hand, many nodejs critical security issues come from the libraries it depends on - which are covered by the security team. Typically the 12.21.1 version is only fixing openssl/npm issues, which means the fixes are made in the corresponding debian packages. Also LTS maintenance sometimes continue on further than initially advertised - and even if not, several outsiders are maintaining security backports to recently dead nodejs branches - debian is not alone on that side of the time. Jérémy