Tagged: 

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #1374039

    Can you please update jquery in the documentation at: \documentation\documentation\assets\js\jquery.js

    (Email address hidden if logged out) as version 1.5.1 got:
    CVE-2012-6708
    CVE-2015-9251
    CVE-2019-11358
    CVE-2020-11022
    CVE-2020-11023
    CVE-2011-4969

    see versions at https://releases.jquery.com/jquery/

    thank you

    • This topic was modified 2 years ago by testq1.
    #1374055

    Hey testq1,
    Thank you for your question, but the assets in the documentation directory is only for the index.html file in the documentation directory, it is not for the theme.
    The theme doesn’t supply the jQuery file, it uses the file supplied by WordPress which is currently v3.6.1

    Best regards,
    Mike

    #1374057

    Hi,

    True, its only documentation but it’s better to have a more secure version of it even if it’s a low prio.

    There also two more founds when checking Vulnerable Dependencies for my client of the files:

    enfold\dev\package-lock.json?glob-parent
    (Email address hidden if logged out) (Confidence:Highest)
    CVE-2020-28469 (OSSINDEX)

    enfold\dev\package-lock.json?terser
    (Email address hidden if logged out) (Confidence:Highest)
    NPM-1081699

    Would ge great if you could clean/update the Vulnerable Dependencies.
    Thanks!

    • This reply was modified 2 years ago by testq1.
    #1374067

    Hi,
    Ok, thanks for pointing this out I will submit to the Dev Team for their review.

    Best regards,
    Mike

    #1374233

    Hey!

    Did you install the dependencies in the enfold > dev folder? If not, then you should not be worrying at all about this. The dependencies glob-parent and terser are only dev dependencies, which is used by the developers in their own environment to build something else, which also means that these packages do not actually exist in your installation.

    Regards,
    Ismael

    #1374415

    The files in dev folder are included in the installation (not like the documentations) when adding the theme to a WordPress installation. And can be accessed from internet. For example, /wp-content/themes/enfold/dev/readme.txt

    As I see it, there is no point to use old unsecure decencies even if the main code doesn’t use it. Especially when the unsecure files are accessible from internet and when there a new version to update it too.

    Also, when scanning for vulnerabilities for my client of plugins they will come up and mess my list of urgent CVE of plugins. Therefore, it would it be great if you could update in future. ;) I know there are workarounds I can do to solve it, but I prefer to use the fix it how it should be done, updating to never versions.
    Thanks!

    #1374558

    Hi,

    Did you install the dependencies in the dev folder and actually use the scripts to minify the files? If not, then it means that the dependencies or packages (node_modules) do not actually exist in your installation. What is being reported in your tool is just a list of dependencies in the package.json file they deemed vulnerable, the actual packages do not exist. And again, they are “dev dependencies”, so they will not be included in the dev folder even if you installed the dependencies using “npm install”. You can manually remove the dev folder if you think it is unsafe.

    Best regards,
    Ismael

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.