[cf-expandables] [cf-tables] Update jQuery to 1.12.x
marteki opened this issue · 4 comments
Right now, the package.json files for cf-expandables and cf-tables are using a tilde to match against 1.11.0, which only pulls in other 1.11.x minor versions. Due to security vulnerabilities, using a higher version such as 1.12.x might be better.
The general package.json for this repo has the same versioning for jQuery.
Current behavior
If you currently use cf-expandables or cf-tables, your security folks might pass you the following information:
Cross-site Scripting (XSS)
Medium severity
Vulnerable module: jquery
Introduced through: cf-expandables@3.1.0 and cf-tables@1.1.0
Fix this vulnerability
Detailed paths
Introduced through: [link-to-a-commit-in-a-repo] › cf-expandables@3.1.0 › jquery@1.11.3
Introduced through: [link-to-a-commit-in-a-repo] › cf-tables@1.1.0 › jquery@1.11.3
Overview
jquery is JavaScript library for DOM operations.
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.
Expected behavior
- No security vulnerabilities as a result of using the components of this package.
@marteki Will consumer trends be able to use v4 of Capital Framework or do we need to add a retro release to v3 to fix this?
Bump @marteki do we still need to do something here or can Consumer Trends be moved to the v4 updates?
What do we want to do here?
I don't think we have the resources to update older versions of CF. I think we ought to close this and put those efforts toward updating projects to use v4 (now v5 for the entire framework).