While working recently on the v1.10.3 update to account for GHSA-48c2-rrv3-qjmp, I've come to realise that maintaining the v1 major version is more burden than I'm really interested in continuing in the long term, and so it's effectively reaching its end of life for security updates.
Therefore, this is prior notice that v1 support will end when the v3.0.0 release comes out, or on 31 October 2026 at latest. At that point I'll also mark the package as deprecated on npm.
The current major version's first release was in April 2022, and most v1 users should find updating to v2 not to need any changes. Updating to v3 will include changes to the document-level API, but the simplest parse() & stringify() APIs will remain almost completely unchanged.
Just to be clear, staying on v1 should be fine. It's just that its test & CI dependencies are so out of date that working with them is a bit painful. This also means that I'm unlikely to accept external contributions for it, because I won't have the capacity to validate them.
As noted in the security policy, please reach out to me directly to discuss a support agreement, if you're interested in extended support.
While working recently on the v1.10.3 update to account for GHSA-48c2-rrv3-qjmp, I've come to realise that maintaining the v1 major version is more burden than I'm really interested in continuing in the long term, and so it's effectively reaching its end of life for security updates.
Therefore, this is prior notice that v1 support will end when the v3.0.0 release comes out, or on 31 October 2026 at latest. At that point I'll also mark the package as deprecated on npm.
The current major version's first release was in April 2022, and most v1 users should find updating to v2 not to need any changes. Updating to v3 will include changes to the document-level API, but the simplest
parse()&stringify()APIs will remain almost completely unchanged.Just to be clear, staying on v1 should be fine. It's just that its test & CI dependencies are so out of date that working with them is a bit painful. This also means that I'm unlikely to accept external contributions for it, because I won't have the capacity to validate them.
As noted in the security policy, please reach out to me directly to discuss a support agreement, if you're interested in extended support.