Patch/vulnerability policy

[eric-simonton-sama]

We need to decide how frequently we need to upgrade Angular across teams at my company. We'd like to target once/year, which will keep us inside Angular's LTS for bugs & security vulnerabilities. However, 3rd party libraries like ngrx are also a consideration.

Looking at the recent release history, it looks like NGRX is only releasing patches for the most recent version. If there was a critical bug or security vulnerability, do you also support past versions? Or is the solution for users to upgrade to the latest?

[brandonroberts]

Good question. As this is a community maintained open source project, our policy is to support the latest release with ongoing support. That being said, we have backported fixes to older versions in the case of a severe bug or security fix, with #2829 being such an example that we fixed and published a patch release for older versions.

Ideally you would upgrade NgRx to match the major version of Angular you're upgrading to. We also try to provide migrations where possible for breaking changes along the way.

Hope this helps.

[eric-simonton-sama]

Thank you for the response.

Ideally you would upgrade NgRx to match the major version of Angular you're upgrading to.

Absolutely. My question was more around: What if we are on an older version of Angular, and a vulnerability is found in ngrx. Will we need to upgrade Angular (and all dependent 3rd party libraries) to the latest version to then be able to get the fix?

It sounds like your answer is: Usually yes, but for severe problems it's possible a fix would be back ported to prevent that need.

[brandonroberts]

Yes that's correct