Skip to content

Security patch: Updates jquery version with 3.5.0 #882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cooknl wants to merge 2 commits into from
Closed

Security patch: Updates jquery version with 3.5.0 #882

cooknl wants to merge 2 commits into from
+3 −5

Conversation

@cooknl
Copy link

@cooknl cooknl commented Apr 30, 2020

I received a GitHub security alert with a suggested remediation to update jquery to 3.5.0.

This is the only place in bookdown that I could find an opportunity to do so.

@cooknl
Security patch: Updates jquery version with 3.5.0
42487b3 
I received a GitHub security alert with a suggested remediation to update jquery to 3.5.0.

This is the only place in bookdown that I could find an opportunity to do so.
yihui
yihui reviewed May 6, 2020
View reviewed changes
Copy link
Contributor

@yihui yihui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bumping the version number is not enough. We also need to actually include a copy of jquery.min.js: https://github.com/rstudio/bookdown/tree/master/inst/resources/jquery Thanks!

yihui
yihui reviewed May 6, 2020
View reviewed changes
Copy link
Contributor

@yihui yihui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And also see #693.

@cooknl
Copy link
Author

cooknl commented May 6, 2020

Would you like me to add and commit?

@cooknl
Copy link
Author

cooknl commented May 30, 2020

I have replaced jquery.min.js v2.2.3 with v.3.5.0. All tests have passed.

I have done a global search in the repo for the string "jquery"

Two questions:

  1. In /bookdown/inst/resources/gitbook/js/app.js there is a comment that mentions "jQuery JavaScript Library v2.1.4". Does this comment need to mention the version number? Especially since it mentions v2.1.4 and the current version is v2.2.3? (notably app.min.js doesn't have any comments and does not appear to have any particular version dependency)
  2. In /bookdown/inst/resources/AUTHORS jQuery contributors are listed. Does this need to be updated for jQuery v.3.5.0? If so, what is the truth source for this listing?

@afkegel afkegel mentioned this pull request Jun 3, 2020
Closed
3 tasks
@jdblischak jdblischak mentioned this pull request Jun 5, 2020
Closed
@CLAassistant
Copy link

CLAassistant commented Sep 24, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

@cderv cderv mentioned this pull request Mar 31, 2021
Closed
@cderv cderv linked an issue Mar 31, 2021 that may be closed by this pull request
Update jQuery to latest version to mitigate severe user-facing vulnerability #1118
Closed
@yihui yihui added the next to consider for next release label Apr 26, 2021
@cderv cderv added this to the v0.23 milestone Apr 27, 2021
@yihui
Copy link
Contributor

yihui commented Jul 29, 2021

This has been done in #693. To answer your two questions (if you still need the answers):

  1. No, we don't need to mention the version number (I've removed it in Updated Jquery to 3.3.1 #693); app.js just uses whatever version of jQuery that is currently loaded.
  2. Yes, the author info needs to be updated (and done in Updated Jquery to 3.3.1 #693).

Thank you very much!

@yihui yihui closed this in bb62d08 Jul 29, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 26, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@yihui yihui yihui left review comments

Assignees

No one assigned

Labels

next to consider for next release

Projects

None yet

Milestone

v0.23

Development

Successfully merging this pull request may close these issues.

Update jQuery to latest version to mitigate severe user-facing vulnerability

4 participants

@cooknl @CLAassistant @yihui @cderv