Elsethread we have been asked to backport a CVE fix for [llang] v2. I think the following is a fair expectation for users to have, which we are not really providing today.
(*) Security fixes will be provided for all components supported by Commons and integrating the fixes will not require client code changes. This is the normal expectation for software patching. CVE -> patch release -> update build -> exposure gone / scanning tools happy. The key to making good on this commitment is to be clear on what "supported" means. Given our limited resources, I think it makes sense to generally limit support to the latest major version (allowing for some overlap, but not perpetual). That means that when we move to a new major release line, at some point, we VOTE and announce EOL for n - 1 (with say a year's notice). In some cases, we may decide to support n - 1 for more than a year, but I think we need clear labeling. To be clear, I think we *are* doing a good job of addressing vulnerabilities in current versions and the "fixes will not require client code changes" part of (*) is hard to satisfy. Many (most?) libraries don't fully satisfy it. But given how deeply our components nest in dependency chains, I think it is a *good idea* for us to use EOL announcements to push upstream upgrades so it is less likely that we will be asked to backport patches to 14-year-old component versions. Phil