[Security] Bump jquery from 3.4.1 to 3.5.0 in /components

[dependabot-preview]

Bumps jquery from 3.4.1 to 3.5.0.

Commits

• 7a0a850 3.5.0
• 8570a08 Release: Update AUTHORS.txt
• da3dd85 Ajax: Do not execute scripts for unsuccessful HTTP responses
• 065143c Ajax: Overwrite s.contentType with content-type header value, if any
• 1a4f10d Tests: Blacklist one focusin test in IE
• 9e15d6b Event: Use only one focusin/out handler per matching window & document
• 966a709 Manipulation: Skip the select wrapper for <option> outside of IE 9
• 1d61fd9 Manipulation: Make jQuery.htmlPrefilter an identity function
• 04bf577 Selector: Update Sizzle from 2.3.4 to 2.3.5
• 7506c9c Build: Resolve Travis config warnings
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mgol, a new releaser for jquery since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

• Update frequency
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[valentijnscholten]

The error is coming from this javascript piece loaded on every page. I think it's to keep the small help text popups alive when the user scrolls over the helptext themselves:

        $('.has-popover').popover({'trigger':'hover'});

test_create_product (__main__.ProductTest) ... [0411/084825.349:INFO:CONSOLE(4046)] "jQuery.Deferred exception: e.hasOwnProperty is not a function TypeError: e.hasOwnProperty is not a function
    at s.m.getOptions (http://localhost:8080/static/bootstrap/dist/js/bootstrap.min.js:6:23482)
    at s.m.init (http://localhost:8080/static/bootstrap/dist/js/bootstrap.min.js:6:22370)
    at new s (http://localhost:8080/static/bootstrap/dist/js/bootstrap.min.js:6:31115)
    at HTMLElement.<anonymous> (http://localhost:8080/static/bootstrap/dist/js/bootstrap.min.js:6:32659)
    at Function.each (http://localhost:8080/static/jquery/dist/jquery.js:381:19)
    at jQuery.fn.init.each (http://localhost:8080/static/jquery/dist/jquery.js:203:17)
    at jQuery.fn.init.e [as popover] (http://localhost:8080/static/bootstrap/dist/js/bootstrap.min.js:6:32528)
    at HTMLDocument.<anonymous> (http://localhost:8080/product/add:938:27)
    at mightThrow (http://localhost:8080/static/jquery/dist/jquery.js:3762:29)
    at process (http://localhost:8080/static/jquery/dist/jquery.js:3830:12) undefined", source: http://localhost:8080/static/jquery/dist/jquery.js (4046)

[valentijnscholten]

XSS in versions < 3.5.0: https://snyk.io/vuln/SNYK-JS-JQUERY-565129

[valentijnscholten]

I looked some more into this and compared jQuery 3.4.1 with 3.5.0. We arrive at some code in bootstrap, and with a breakpoint the data looks like this in 3.4.1 and 3.50, so the same:

However when I look at the dataAttributes object, there is a difference.
3.4.1:

3.5.0:

So in 3.4.1 the dataAttributes is a true javascript object with properties/functions. In 3.5.0 it seems to be just a "dictionary" with some key value pairs.

I am a backend developer so I don't know if this is a bug in bootstrap or in jquery?
Google tells me "everything in javascript is an object and should have the hasOwnProperty function". My backend mind tells, "well, just a little dictionary must not always have the full suite of functions, does it?".

It could also be something in our code, but I would be surprised as our html/js is the same and also the data in the attributes is the same. But who knows. Anyone can advise?

BTW our html:

<span class="fa fa-question-circle has-popover" data-toggle="popover" data-content="Destinations for system notifications are configured in System Settings. Destinations for personal notifications are taken from your personal contact details (personal Slack notifications will be sent to you as a direct message)."></span>
personal:829 <i class="fa fa-question-circle has-popover" data-toggle="popover" data-content="Triggered whenever an (re-)import has been done that created/updated/closed findings." data-placement="right" data-container="body">
                                </i>

js:

        $('.has-popover').popover({trigger: 'hover', html: 'true'});

[valentijnscholten]

Issue confirmed by bootstrap / jquery teams:

twbs/bootstrap#30553
jquery/jquery#4665

To be fixed in jquery 3.5.1

[valentijnscholten]

I don't think we can say ignore minor version to dependabot because that would ignore 3.5.1 etc as well? So let's just wait a couple of days until 3.5.1 arrives :-)

[valentijnscholten]

@dependabot close

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Potential XSS vulnerability in jQuery
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

This problem is patched in jQuery 3.5.0.

Affected versions: [">= 1.0.3 < 3.5.0"]

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Potential XSS vulnerability in jQuery

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

... (truncated)

Affected versions: [">= 1.2 < 3.5.0"]

[valentijnscholten]

as in #2805 we should get a new PR for jquery 3.5.1 and according to github support we need to reopen this old PR to get dependabot to do that. sounds crazy but let's see what happens.

[valentijnscholten]

@dependabot reopen

[dependabot-preview]

OK, I won't notify you again about this release, but will get in touch when a new version is available.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[valentijnscholten]

@dependabot reopen

[dependabot-preview]

Superseded by #2829.