> It is true about other formats, but those have been in browsers for a long time so by now we have patched most of the exploits.

The current debate is about JPEG XL vs AVIF. Advantages of old image formats are not relevant here.

How are they not irrelevant? This is a cyclical problem browsers and OSes have dealt with many times before, and JPEGXL will hardly be the last time. It's a fundamentally challenging situation that applies to the newest image codec as much as it does to old ZIP files or hostile PDFs.

There will always be some new format with some advantage or another, but safely parsing complex user generated content just isn't trivial, so every one of these is both a cost benefit analysis on its own merits but also a chance to reflect on historical implementations, vulnerabilities, and lessons learned.

If the argument is between two new formats, how are old formats at all relevant? The issues you outlined are faced by both (or any) new format so is essentially moot in the context of this conversation.

Did I miss something? The title and article are mostly about JPEG XL. What's the "both" in this? JPEG XL is the newest and has poor support. AVIF is mentioned offhandedly in that article, but it's a little older and still doesn't have great support. WebP is even older and also has occasional issues.

The image formats past WebP offer very minor improvements but have big potentials for new zero-days. I don't think it's wrong to play it safe and/or just don't implement them.

When deciding whether A is better than B, it is irrelevant to point out problems that apply to A and B equally.

>it had zero day exploits as recently as 6 months ago

That not a measure of security.

How many malware exists for MacOS compared to Windows. Does that mean MacOS is safer?

You could easily argue the other way around that WebP and say has more undiscovered exploits.