Updating mosquitto to > 2 will most likely break existing installations as there are changes for the listener and the plugin systems.

mosquitto 1.6 now has at least 3 new CVEs from August, fixed only in v2 series

https://mosquitto.org/security/

It's now crucial to have mosquitto v2 on EPEL8

You can name the package differently, for example mosquitto2, like redhat does with many incompatible releases.

This way mosquitto 1.6 will never be updated unintentionally

This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

mosquitto 1.6 is EOL and has now a lot of CVEs
you can simply release it for EPEL8 with a diffrent name, as mosquitto2, like redhat does often to avoid breaking existing installations


August 2023: [CVE-2023-0809]: Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets. Affecting versions 1.5.0 to 2.0.15. Fixed in 2.0.16.
August 2023: [CVE-2023-3592]: Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types. Affecting version 1.6.0 to 2.0.15 Fixed in 2.0.16.
August 2023: [CVE-2023-28366]: Clients sending unacknowledged QoS 2 messages with duplicate message ids cause a memory leak. Affecting versions 1.3.2 to 2.0.15 inclusive, fixed in 2.0.16.
August 2022: Deleting the anonymous group in the dynamic security plugin could lead to a crash. Affecting versions 2.0.0 to 2.0.14 inclusive, fixed in 2.0.15.
August 2021: CVE-2021-34434 Affecting versions 2.0.0 to 2.0.11 inclusive, fixed in 2.0.12.
April 2021: CVE-2021-28166 Affecting versions 2.0.0 to 2.0.9 inclusive, fixed in 2.0.10.
December 2020: Running mosquitto_passwd with the following arguments only mosquitto_passwd -b password_file username password would cause the username to be used as the password. Affecting versions 2.0.0 to 2.0.2 inclusive, fixed in 2.0.3.