Tagged: 

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • November 27, 2022 at 6:54 pm #1374039
    testq1

    Can you please update jquery in the documentation at: \documentation\documentation\assets\js\jquery.js

    (Email address hidden if logged out) as version 1.5.1 got:
    CVE-2012-6708
    CVE-2015-9251
    CVE-2019-11358
    CVE-2020-11022
    CVE-2020-11023
    CVE-2011-4969

    see versions at https://releases.jquery.com/jquery/

    thank you

    • This topic was modified 1 year, 12 months ago by testq1.
    November 27, 2022 at 8:10 pm #1374055
    Mike

    Hey testq1,
    Thank you for your question, but the assets in the documentation directory is only for the index.html file in the documentation directory, it is not for the theme.
    The theme doesn’t supply the jQuery file, it uses the file supplied by WordPress which is currently v3.6.1

    Best regards,
    Mike

    November 27, 2022 at 8:30 pm #1374057
    testq1

    Hi,

    True, its only documentation but it’s better to have a more secure version of it even if it’s a low prio.

    There also two more founds when checking Vulnerable Dependencies for my client of the files:

    enfold\dev\package-lock.json?glob-parent
    (Email address hidden if logged out) (Confidence:Highest)
    CVE-2020-28469 (OSSINDEX)

    enfold\dev\package-lock.json?terser
    (Email address hidden if logged out) (Confidence:Highest)
    NPM-1081699

    Would ge great if you could clean/update the Vulnerable Dependencies.
    Thanks!

    • This reply was modified 1 year, 12 months ago by testq1.
    November 27, 2022 at 9:39 pm #1374067
    Mike

    Hi,
    Ok, thanks for pointing this out I will submit to the Dev Team for their review.

    Best regards,
    Mike

    November 29, 2022 at 7:20 am #1374233
    Ismael

    Hey!

    Did you install the dependencies in the enfold > dev folder? If not, then you should not be worrying at all about this. The dependencies glob-parent and terser are only dev dependencies, which is used by the developers in their own environment to build something else, which also means that these packages do not actually exist in your installation.

    Regards,
    Ismael

    November 30, 2022 at 11:01 am #1374415
    testq1

    The files in dev folder are included in the installation (not like the documentations) when adding the theme to a WordPress installation. And can be accessed from internet. For example, /wp-content/themes/enfold/dev/readme.txt

    As I see it, there is no point to use old unsecure decencies even if the main code doesn’t use it. Especially when the unsecure files are accessible from internet and when there a new version to update it too.

    Also, when scanning for vulnerabilities for my client of plugins they will come up and mess my list of urgent CVE of plugins. Therefore, it would it be great if you could update in future. ;) I know there are workarounds I can do to solve it, but I prefer to use the fix it how it should be done, updating to never versions.
    Thanks!

    December 1, 2022 at 5:38 am #1374558
    Ismael

    Hi,

    Did you install the dependencies in the dev folder and actually use the scripts to minify the files? If not, then it means that the dependencies or packages (node_modules) do not actually exist in your installation. What is being reported in your tool is just a list of dependencies in the package.json file they deemed vulnerable, the actual packages do not exist. And again, they are “dev dependencies”, so they will not be included in the dev folder even if you installed the dependencies using “npm install”. You can manually remove the dev folder if you think it is unsafe.

    Best regards,
    Ismael

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.