I believe the iso's and vms use firefox so they won't evaluate with this. And haven't we already declared 19.03 as EOL (and subsequently possibly having security vulnerabilities).
We'd in no way have the resources to mark every package with vulnerabilities on EOL releases.
Additionally, every person who uses firefox on 19.09 (not that I'm trying to support them) is going to have an issue building their configuration and would have to make a change. I don't think that's an appropriate change to make in any stable distribution.

See #77361 (comment) for why I created this. I understand 19.03 is EOL (although to be honest the information seems to be somewhat hidden in the release notes - also discussed in #77361).

I was in two minds about creating the PR, but I noticed that release-19.03 is still getting new commits, so I thought it might be worth marking the browsers as insecure because I believe they have a large impact on many users (sorry, I have no numbers to substantiate this claim, so take it as a personal opinion).

If you think it's not worth proceeding, I am OK with closing the PR and so be it. I can submit a new PR for master and 19.09 though.

Thank you very much.

Also, I don't know who to make the failed checks pass since it seems they fail exactly because the packages have been marked as insecure 😅

Right, this fails evaluation and is by design… I also don't think a backport is trivial - usually firefox updates trigger world rebuilds due to nss updates, so it might be best to just close this PR, sorry for the fuzz.

We should indeed show more prominently on the website about how long we backport security fixes to older releases, I opened NixOS/nixos-homepage#325.

Something like #23590 would also help to provide more visibility to users about the state of their current channels.