security issue for jquery before 3.4.0

[woei66]

In the package dependency, it requires jquery version is newer than 1.2.6. You can check the vendor/mottie/tablesorter/composer.json file.

"require": { "components/jquery": ">=1.2.6" },

According to the CVE report, all jquery before 4.3.0 with a security issue. Detail could be found at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

I suggested that to change the require dependency to 3.4.0 or 3.4.1 "require": { "components/jquery": ">=3.4.0" },

Besides, as I know, the compoents/jquery is not updated and you can not get the 3.4.0 version from the ecomponents/jquery package.

I posted a new issue for component/jquery at https://github.com/components/jquery/issues/62

[Mottie]

Hi @woei66!

Sorry for taking so long to respond!

I have left this minimum jquery requirement to ensure this library is compatible with the original tablesorter. This repository is usually kept up-to-date with the latest jQuery (I just updated from 3.3.1 to 3.4.1), but I think the author using this library would ultimately be responsible for the version they are using. Maybe this is the wrong thinking, so please correct me if I'm wrong.