widdershins
widdershins copied to clipboard
shins dependency is including vulnerable jquery version 3.2.1
Describe the bug widdershins is dependent on shins, and as part of the shins source, they are embedding jquery 3.2.1.
Unfortunetly, jquery 3.2.1 has a known XSS vulnerability, and our Vulnerability scans fail because of this inclusion with the message The identified library jquery, version 3.2.1 is vulnerable.
To Reproduce Steps to reproduce the behavior:
- View the generated widdershins HTML source. you will see the inline javascript
he.fn=he.prototype={jquery:"3.2.1",constructor:he,length:0,toArray:function(){return ie.call(this)}
Expected behavior Using widdershins should pass vulnerability scans.
Side note: the shins github repo has been archived - it might be worth looking to see if that package is no longer maintained.