Keeping up with security updates for your web browser is of increasing practical relevance. Under normal conditions this means important updates roughly every couple of weeks.
Mainline firefox or chromium packages are typically easy mode: For most people it’s a matter of staying on top of regular pacman updates. torbrowser-launcher updates from inside the browser and is also usually painless to manage.
Running custom builds or forks from AUR requires more attention. Is the AUR package up to date? If it’s a fork: Are security updates from Mozilla/Google downstreamed in a timely manner? Have you built it? Can you still build it? How long since you pulled and rebuilt that ungoogled-chromium binary and how many CVEs has it racked up by now?
Anyone running firefox-esr or any derivative like icecat, waterfox1, mullvad-browser or konform-browser from AUR should probably be paying attention to this right now:
Arch Linux repositories updated llvm and clang to v22 on 2026-03-07. This caused a regression for Firefox ESR packaging resulting in compilation failure when building.
Firefox ESR 14.9.0 was released on 2026-03-24.
This means that since then, users of the AUR packages for these browsers have not been able to build a new version with security fixes on up to date Arch Linux system. Some users may be prepared to handle this by maintaining separate build infra with internal registry where keeping system packages frozen on older version is acceptable but for everyone else, this is a conundrum.
Anyone browsing the web on firefox-esr or a derivative should make sure you get fixes for the issues addressed in 140.9.0 asap.
konform-browser AUR package has been patched with clang 22 toolchain fixes from mozilla and should now build succesfully. The other forks including firefox-esr will still need manual patching or downgrading clang toolchain packages to v21 to compile. The konform-browser patches for clang 22 are in the AUR repo and should be portable to the other browsers too. If others can share their results in testing (both X11 and Wayland) or reviewing the fix, this might help in sorting out the firefox-esr situation sooner than later, too.
1: Looking at git log it claims to build as of the wasi-compiler-rt21 makedepends but I have still not been able to make it compile when attempting. Please LMK if I’m holding it wrong and there is a way!
Announcement brought to you by Konform Browser
Is there something particular going on or that has occurred to make you say this? Wondering what I’m missing.
Not one thing in particular but a general trend driven by several factors. Things recently have, are, and will continue to heat up.
For one, past few months a few significant supply-chain attacks have been hitting popular developer tooling and libraries used for web development. As devs get compromised, this will “trickle down” to users.
For two, as stakes are rising, devs are burning out and the economy is shifting, crap like this is just considered “Monday” now. Already been common with browser addons for a while now.
As for browser themselves, take a closer look at release notes and changelogs (for forks, go to upstream). Note the number and severity of addressed issues and update frequency.
Adoption and evolution of LLMs also tie into this in multiple ways. Others have written in length about this. If there is one thing doomers and hypers agree on, it’s this.
Oh, and be careful with archive links.
Was wondering the same.
My firefox, vivaldi, zen and tor browsers all appear to be getting updates.
Not sure exactly how often as I only really monitor pacman / yay’s output for for
.pacnewfiles, folder permission changes and the odd note to re-install grub…Yeah, I mean I’m a web developer so I should keep track on my news outlets regarding serious vulnerabilities in web browsers and I haven’t seen any uptick in issues lately that makes me more worried about browser updates than like 5 years ago. So I’m particularly interested in that first statement here.
I update my browser as soon as an update is available. 🤷♂️
This comment and its support is baffling to me. How is this not obvious to professionals?
Then you have not been paying attention and I urge you to start doing so!
Blogs:
https://socket.dev/blog
https://krebsonsecurity.com/
https://www.malwarebytes.com/blog
https://johnhammond.beehiiv.com/archive
https://www.bleepingcomputer.com/author/bill-toulas/