carbon-addons-iot-react
carbon-addons-iot-react copied to clipboard
carbon-design-system
[carbon-addons-iot-react] wait for new version dom-to-image to fix jquery 2.1.4 vulnerability
What package is this for?
- [x] React
- [ ] Angular
Describe the bug
Our product directly use "carbon-addons-iot-react": "^2.147.0-next", the dependency chain is as follow:
[email protected] <- @carbon/[email protected] <- @carbon/[email protected] <- [email protected]
Our vulnerability scanning tool notify us to upgrade to jquery 3.0.0, we find dom-to-image packaged jquery 2.1.4 internally (/dom-to-image/bower_components/jquery 2.1.4), so that we could not upgrade its version directly, so we are waiting for new version dom-to-image to fix this vulnerability of jquery.
Expected behavior
New version dom-to-image to fix this vulnerability of jquery, upgrade to jquery 3.0.0.
@YolandaZhang369369 Depends on https://github.com/carbon-design-system/carbon-charts/issues/1206 Have you contacted the charting team for prioritization?
@JordanWSmith15 , what do you mean when saying "charting team"? We are one of the development team In. Now we need to resolved this issue as soon to fullfill company IT security requirement for High severity issues.
FYI @davidicus . @YolandaZhang369369 What I mean by charting team is the Carbon charts team, which is where this vulnerability lies. I would open an issue in https://github.com/carbon-design-system/carbon-charts, or ask the Carbon Charts slack channel https://ibm-watson-iot.slack.com/archives/CCA7L4MS9
Inquiring about the possibility of back porting the solution to v0.55.1
dom-to-image repo is unresponsive
Carbon chart's team investigation found this to be a dev dependency for the dom-to-image package and is not used in the charts codebase.