Hi, Thank you for checking and creating this issue. Overall, you're completely correct. There is however some nuance I'd like to provide to the statement you quoted: """ Versions 1.6 and older should no longer be used due to known security issues that cannot be resolved in that code base. """ While this statement is true for the 1.6 version released upstream (I'm upstream as well as the last person to update the package), the CVE fixes that this statement refers to *have* been backported to Debian. The "cannot" part refers to security issues in the 1.2 code base. For 1.3+ it should have said "will not". Now we *are* on the topic of updating the package, I have some questions with respect to the JavaScript the 1.10 and higher releases depend on, since the build process for the JavaScript assets has changed from direct inclusion of DojoToolkit dependency to a much broader set of dependencies built with WebPack. I'm looking for someone with experience packaging similar applications on Debian. Can you help me get in contact with a person who might be able to help me? Regards, Erik.