Keeping up with security updates for your web browser is of increasing practical relevance. Under normal conditions this means important updates roughly every couple of weeks.
Mainline firefox or chromium packages are typically easy mode: For most people it’s a matter of staying on top of regular pacman updates. torbrowser-launcher updates from inside the browser and is also usually painless to manage.
Running custom builds or forks from AUR requires more attention. Is the AUR package up to date? If it’s a fork: Are security updates from Mozilla/Google downstreamed in a timely manner? Have you built it? Can you still build it? How long since you pulled and rebuilt that ungoogled-chromium binary and how many CVEs has it racked up by now?
Anyone running firefox-esr or any derivative like icecat, waterfox1, mullvad-browser or konform-browser from AUR should probably be paying attention to this right now:
Arch Linux repositories updated llvm and clang to v22 on 2026-03-07. This caused a regression for Firefox ESR packaging resulting in compilation failure when building.
Firefox ESR 14.9.0 was released on 2026-03-24.
This means that since then, users of the AUR packages for these browsers have not been able to build a new version with security fixes on up to date Arch Linux system. Some users may be prepared to handle this by maintaining separate build infra with internal registry where keeping system packages frozen on older version is acceptable but for everyone else, this is a conundrum.
Anyone browsing the web on firefox-esr or a derivative should make sure you get fixes for the issues addressed in 140.9.0 asap.
konform-browser AUR package has been patched with clang 22 toolchain fixes from mozilla and should now build succesfully. The other forks including firefox-esr will still need manual patching or downgrading clang toolchain packages to v21 to compile. The konform-browser patches for clang 22 are in the AUR repo and should be portable to the other browsers too. If others can share their results in testing (both X11 and Wayland) or reviewing the fix, this might help in sorting out the firefox-esr situation sooner than later, too.
1: Looking at git log it claims to build as of the wasi-compiler-rt21 makedepends but I have still not been able to make it compile when attempting. Please LMK if I’m holding it wrong and there is a way!
Announcement brought to you by Konform Browser
Not one thing in particular but a general trend driven by several factors. Things recently have, are, and will continue to heat up.
For one, past few months a few significant supply-chain attacks have been hitting popular developer tooling and libraries used for web development. As devs get compromised, this will “trickle down” to users.
For two, as stakes are rising, devs are burning out and the economy is shifting, crap like this is just considered “Monday” now. Already been common with browser addons for a while now.
As for browser themselves, take a closer look at release notes and changelogs (for forks, go to upstream). Note the number and severity of addressed issues and update frequency.
Adoption and evolution of LLMs also tie into this in multiple ways. Others have written in length about this. If there is one thing doomers and hypers agree on, it’s this.
Oh, and be careful with archive links.
I have noticed a greater number of IT infrastructure attacks after the European(-adjacent) wars started in 2022. Even where I live, which isn’t particularly close to where the action is happening.
This is to what I was mostly referring. I don’t really care to look at Chromium’s release notes anymore since 2018 when I switched back to Firefox, so I’m probably missing a lot there. But I read every release notes from Firefox, and I haven’t seen much uptick in severity or number of addressed issues there. Maybe I’m not paying enough attention there either, or maybe they don’t have enough manpower or interest to fix/find severity issues. Or maybe they just don’t have them. 🙃
But either way, it’s definitely a good idea to keep updated, on all your software packages! 🙂👍