Package: quickjs Version: 2021.03.27-1 Severity: critical X-Debbugs-Cc: secur...@debian.org
Hi I have packaged QuickJS, an embeddable JavaScript engine. It is a direct dependency for Edbrowse, a command-line browser, often used by blind users. This currently blocks the update to the latest Edbrowse version. QuickJS is on the same "security-sensitive" level as Duktape, i.e. it is a JavaScript engine that, if exposed to untrusted sources, might have vulnerabilities. Duktape is already in Debian, so I would argue that we could also support QuickJS, hence seeking your feedback. Upstream of *Edbrowse* said: >> seems that QuickJS is not the most actively maintained project. > >Well, much more than duktape, which we used before. We had to drop duktape >because it doesn't even support the es6 features of js, and emails to their >maintainers went unanswered for months. In other words, duktape can't parse >most of the js out there at this time. I haven't talked to QuicJS upstream yet, mostly because I would need your feedback and understand concerns, if any. Thanks! Sebastian -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-1-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled