Hi,

Thank you for checking and creating this issue. Overall, you're completely correct. There is however some nuance I'd like to provide to the statement you quoted:

"""
Versions 1.6 and older
should no longer be used due to known security issues that cannot be resolved
in that code base.
"""

While this statement is true for the 1.6 version released upstream (I'm upstream 
as well as the last person to update the package), the CVE fixes that this statement
refers to *have* been backported to Debian. The "cannot" part refers to security issues
in the 1.2 code base. For 1.3+ it should have said "will not".


Now we *are* on the topic of updating the package, I have some questions with respect to
the JavaScript the 1.10 and higher releases depend on, since the build process for the
JavaScript assets has changed from direct inclusion of DojoToolkit dependency to a much
broader set of dependencies built with WebPack. I'm looking for someone with experience
packaging similar applications on Debian. Can you help me get in contact with a person who
might be able to help me?

Regards,
Erik.