Issue a security advisory for versions < 4.4.0

Question

Issue a security advisory for versions < 4.4.0

jonleighton opened this issue 5 years ago · 5 comments

The latest 4.4.0 release bumps the jQuery version to fix a security vulnerability. Issuing a GitHub security advisory for this project would enable GitHub's security tooling to pick up that users on earlier versions have a vulnerable dependency.

Answer 1 · 2020-06-08T00:17:01.000Z

Ping @carlosantoniodasilva since you prepped the release

Answer 2 · 2021-03-02T03:53:27.000Z

bump -- the currently bundled versions of jQuery have security vulnerabilities as well.

Answer 3 · 2021-03-31T01:14:34.000Z

@waissbluth do you have links, please?

@jonleighton my apologies, this totally fell off my radar, but I'll see what I can do.

Answer 4 · 2021-04-01T19:42:14.000Z

@carlosantoniodasilva I realize now that jQuery 1 and 2 are no longer being patched so even though there are vulnerabilities there no minor version to upgrade to. thanks

Answer 5 · 2021-04-02T13:29:54.000Z

@waissbluth thanks.

It looks like someone sent a PR to update the libraries shipped with jquery-rails with those patches: #281, maybe that's something we can do.