I don't know if packaging the JS into Debian would be enough. If I recall correctly, Discourse depends on client-side JS, so the issues are more immediate in the client-side where the client is the one more vulnerable.
There are other things that I didn't have time nor knowledge to check yet, like if Discourse has progressive enhancement.
2018-01-16T13:43:35+0100 Daniel Pocock wrote:
Thanks for all that feedback
Would packaging the Discourse JavaScript into Debian satisfy those concerns?
Is there enough interest in this topic to start building a wiki page about it?