[react] Old React versions are not EOL (security updates)

[istvanp]

The previous update to React #6675 does not properly reflect React's stance on security updates.

See React maintainer @gaearon's comment: reactjs/react.dev#1745 (comment)

If there was a critical security vulnerability affecting all majors we would do every effort to release a patch for the latest minor of every major, as well as for every minor of the current major.

I think the wording is clear that versions 18 and below would receive a security update if there was a critical vulnerability.

I don't think there is a new stance on this from React but I could be wrong (the official comment is from 2021).

[welcome]

Thank you for opening this pull request 👍. If you are not familiar with the project, please check out our Contributing Guidelines and our Guiding Principles. Also take a look at our Hacking Guide if you intend to work on site internals.

[usta]

but you are missing the main point , those are eoled but if they found a critical bug and if any hotfix applied we increase the eol date to latest release date, ( you can observe this on releaseCycle: "15" )
on the other hand it is clearly mentioned that if a major version releases older version's support ends ( only exception is found critical bugs )
So my 2 cents for this PR is 👎

[istvanp]

But that is why you have another column for "Security Support"? They are EOL for development only, not for critical security fixes.

That column's job (as I understand it) is to indicate if it's safe to remain on an older version or not should there be a vulnerability. If it's got a an end date it means we should move onto a newer version as soon as possible which is not the case here because they are continuing support with regards to critical security issues at any time.

[captn3m0]

I was also surprised by #6675, since it drastically changes what we counted as security support, without any change in upstream guidance with the v19 release.

[ljharb]

Dan's comment isn't necessarily the same thing as a project-level commitment to definitely releasing security fixes, which is what I'd consider necessary for "support".

Best-effort is great! but not "supported".

[captn3m0]

As it stands, https://endoflife.date/react has conflicting guidance in the table v/s the support text. At the very least we should update the text to inform the users about the best-effort-stance.

[pjgorman]

A 3.5 year old issue comment does not a versioning policy make.
I've combed through the actual React versioning policy, and I find no mention of even 'best effort' to patch previous versions of major releases, nor the current Support Text indicating that "Critical Security fixes are backported to all minor releases of the current major, as well as to latest minor release of previous major releases."

Granted, I'm not doubting the React team's intent (or willingness) to backport security fixes as far as possible, but something to that end should be reflected somewhere in the project documentation.

I'd recommend updating the Support text to call it like it is:
It has been suggested that best effort will be made to address critical security vulnerabilities in previous affected major releases as well as in every minor release of the current major release, but this intent is not documented in the project's versioning policy.

Submitted an alternative PR.