Jquery.js #1591
Comments
|
Discussed elsewhere on the repo. Here's one place that I recall: #1351 (comment) |
Seems it was upgraded to 3.4.1 (9ed7586) to fix a privious vulnerability and then reverted 4fbf8ff
Every repository hosting yard generated doc is receiving GHSA-q4m3-2j7h-f7xw alerts. Ex: https://github.com/noraj/PixelChart/security/dependabot/15 I guess yard is probably not vulnerable as it's to generate static documentation and there is nearly no user input outside of the search bar. But that's annoying that anyone using yard receives a false positive vulnerability alert. |
|
The upgraded version of jQuery created regressions in generated documentation. If someone wants to open a PR with a version of jQuery that does not break downstream usage, it might be accepted. Another option would be for someone to provide the upgrade with necessary shims/updates to yard code in order to not break downstream users. Alternatively, if someone wants to show a proper reproduction of the vulnerability being used in the context of yard, it could be prioritized more highly. It's worth noting that downstream users are also free to provide their own jQuery by using templating in yard to override the original version, so if you're getting notices on GitHub, you can address them by vendoring your own jQuery; you will however be subject to potential regressions. |
Hello!
This more of a security issue and a question to that. Why are you using version 1.7.1 of jquery? Everything less than 1.9 has an XSS vulnerability?
Best wishes!
Jan
The text was updated successfully, but these errors were encountered: