Tagged: jQuery
-
AuthorPosts
-
November 27, 2022 at 6:54 pm #1374039
Can you please update jquery in the documentation at: \documentation\documentation\assets\js\jquery.js
(Email address hidden if logged out) as version 1.5.1 got:
CVE-2012-6708
CVE-2015-9251
CVE-2019-11358
CVE-2020-11022
CVE-2020-11023
CVE-2011-4969see versions at https://releases.jquery.com/jquery/
thank you
- This topic was modified 2 years ago by testq1.
November 27, 2022 at 8:10 pm #1374055Hey testq1,
Thank you for your question, but the assets in the documentation directory is only for the index.html file in the documentation directory, it is not for the theme.
The theme doesn’t supply the jQuery file, it uses the file supplied by WordPress which is currently v3.6.1Best regards,
MikeNovember 27, 2022 at 8:30 pm #1374057Hi,
True, its only documentation but it’s better to have a more secure version of it even if it’s a low prio.
There also two more founds when checking Vulnerable Dependencies for my client of the files:
enfold\dev\package-lock.json?glob-parent
(Email address hidden if logged out) (Confidence:Highest)
CVE-2020-28469 (OSSINDEX)enfold\dev\package-lock.json?terser
(Email address hidden if logged out) (Confidence:Highest)
NPM-1081699Would ge great if you could clean/update the Vulnerable Dependencies.
Thanks!- This reply was modified 2 years ago by testq1.
November 27, 2022 at 9:39 pm #1374067Hi,
Ok, thanks for pointing this out I will submit to the Dev Team for their review.Best regards,
MikeNovember 29, 2022 at 7:20 am #1374233Hey!
Did you install the dependencies in the enfold > dev folder? If not, then you should not be worrying at all about this. The dependencies glob-parent and terser are only dev dependencies, which is used by the developers in their own environment to build something else, which also means that these packages do not actually exist in your installation.
Regards,
IsmaelNovember 30, 2022 at 11:01 am #1374415The files in dev folder are included in the installation (not like the documentations) when adding the theme to a WordPress installation. And can be accessed from internet. For example, /wp-content/themes/enfold/dev/readme.txt
As I see it, there is no point to use old unsecure decencies even if the main code doesn’t use it. Especially when the unsecure files are accessible from internet and when there a new version to update it too.
Also, when scanning for vulnerabilities for my client of plugins they will come up and mess my list of urgent CVE of plugins. Therefore, it would it be great if you could update in future. ;) I know there are workarounds I can do to solve it, but I prefer to use the fix it how it should be done, updating to never versions.
Thanks!December 1, 2022 at 5:38 am #1374558Hi,
Did you install the dependencies in the dev folder and actually use the scripts to minify the files? If not, then it means that the dependencies or packages (node_modules) do not actually exist in your installation. What is being reported in your tool is just a list of dependencies in the package.json file they deemed vulnerable, the actual packages do not exist. And again, they are “dev dependencies”, so they will not be included in the dev folder even if you installed the dependencies using “npm install”. You can manually remove the dev folder if you think it is unsafe.
Best regards,
Ismael -
AuthorPosts
- You must be logged in to reply to this topic.