Skosmos
Skosmos copied to clipboard
NatLibFi
Enhancement request: address jQuery security vulnerabilities
Skosmos currently requires jQuery v2.2.* to run, which in practice means v2.2.4 as the latest available. This version contains several security vulnerabilities, including:
The jQuery team will not release updates to the old version (see https://github.com/jquery/jquery/issues/4559), instead recommending to upgrade to v3+.
These vulnerabilities have a medium threat score and allow potential cross-site scripting (XSS) attacks. There are mitigating steps we can take via configuration of the web server and PHP to reduce the probability of such attacks succeeding. However, the issue is still being flagged up by the security compliance team of our customer (the European Space Agency).
We would like to know whether there are any plans for migrating Skosmos to use jQuery v3.5+ to address this issue.
As an additional note - there are unofficial patches available for back-porting fixes to some of the above vulnerabilities to older versions of jQuery, see https://github.com/DanielRuf/snyk-js-jquery-565129.
Thank you for the issue report.
Yes, there exists a plan to upgrade our jQuery version. I have just started the preparation work for it, see PR #1144 that was just merged into the code base. We hope to deliver a Skosmos version with jQuery 3.x as soon as possible and it will be a development focus in the forthcoming sprint(s).
