You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Skosmos currently requires jQuery v2.2.* to run, which in practice means v2.2.4 as the latest available. This version contains several security vulnerabilities, including:
The jQuery team will not release updates to the old version (see jquery/jquery#4559), instead recommending to upgrade to v3+.
These vulnerabilities have a medium threat score and allow potential cross-site scripting (XSS) attacks. There are mitigating steps we can take via configuration of the web server and PHP to reduce the probability of such attacks succeeding. However, the issue is still being flagged up by the security compliance team of our customer (the European Space Agency).
We would like to know whether there are any plans for migrating Skosmos to use jQuery v3.5+ to address this issue.
Yes, there exists a plan to upgrade our jQuery version. I have just started the preparation work for it, see PR #1144 that was just merged into the code base. We hope to deliver a Skosmos version with jQuery 3.x as soon as possible and it will be a development focus in the forthcoming sprint(s).
Skosmos currently requires jQuery v2.2.* to run, which in practice means v2.2.4 as the latest available. This version contains several security vulnerabilities, including:
The jQuery team will not release updates to the old version (see jquery/jquery#4559), instead recommending to upgrade to v3+.
These vulnerabilities have a medium threat score and allow potential cross-site scripting (XSS) attacks. There are mitigating steps we can take via configuration of the web server and PHP to reduce the probability of such attacks succeeding. However, the issue is still being flagged up by the security compliance team of our customer (the European Space Agency).
We would like to know whether there are any plans for migrating Skosmos to use jQuery v3.5+ to address this issue.
As an additional note - there are unofficial patches available for back-porting fixes to some of the above vulnerabilities to older versions of jQuery, see https://github.com/DanielRuf/snyk-js-jquery-565129.
The text was updated successfully, but these errors were encountered: