yard
yard copied to clipboard
lsegal
Jquery.js
Hello!
This more of a security issue and a question to that. Why are you using version 1.7.1 of jquery? Everything less than 1.9 has an XSS vulnerability?
Best wishes! Jan
Discussed elsewhere on the repo. Here's one place that I recall: https://github.com/lsegal/yard/pull/1351#issuecomment-699686428
Why are you using version 1.7.1 of jquery?
Seems it was upgraded to 3.4.1 (https://github.com/lsegal/yard/commit/9ed7586a390155039710ccf011f127f4ba5ce04a) to fix a privious vulnerability and then reverted https://github.com/lsegal/yard/commit/4fbf8ff08909d04a7faf80849dcd696b9a7b12ab
Everything less than 1.9 has an XSS vulnerability?
Every repository hosting yard generated doc is receiving GHSA-q4m3-2j7h-f7xw alerts. Ex: https://github.com/noraj/PixelChart/security/dependabot/15
I guess yard is probably not vulnerable as it's to generate static documentation and there is nearly no user input outside of the search bar. But that's annoying that anyone using yard receives a false positive vulnerability alert.
The upgraded version of jQuery created regressions in generated documentation. If someone wants to open a PR with a version of jQuery that does not break downstream usage, it might be accepted. Another option would be for someone to provide the upgrade with necessary shims/updates to yard code in order to not break downstream users. Alternatively, if someone wants to show a proper reproduction of the vulnerability being used in the context of yard, it could be prioritized more highly.
It's worth noting that downstream users are also free to provide their own jQuery by using templating in yard to override the original version, so if you're getting notices on GitHub, you can address them by vendoring your own jQuery; you will however be subject to potential regressions.
