will you backport a fix to older versions? (< 1.24)
I wanted to answer your question. I discussed the possibility of backporting security fixes with the team. The decision we arrived at is that FusionAuth won't backport any security fixes to 1.23.
We haven't backported security fixes (or other functionality for that matter) between versions in the past. If we were going to commit to backports, we'd want to do it in a consistent manner, not just a one-off for this version. I'm not ruling out backporting in the future, but as long as we're on FusionAuth 1.x, we likely won't release any of these.
While we understand where the question is coming from, and we understand the fact that backports won't occur means that the option of not upgrading is less appealing, committing to such backports could negatively impact the engineering team and the codebase.
I hope this answer brings some clarity and helps you make the correct decision for your application and your business.
Thanks - Dan