[encoderer]

Yeah that's a fair (and more charitable) way to read that. But it's also not that clear. He spends a lot of time worrying about how much time they've spent on their extension.

Why no "woah, our other angular apps could be affected, is there any safe subset of angular 1?"

There aren't many products where security matters THAT much. I'd hope that the people working on password managers have a total security first mindset.