refinerycms icon indicating copy to clipboard operation
refinerycms copied to clipboard

Published 20 hours ago verified publisher icon refinery

`refinerycms-core` depends on a version of `jquery-ui-rails` with XSS vulnerabilities

Open n7st opened this issue 1 year ago • 1 comments

I'm seeing several dependabot security alerts due to jquery-ui-rails version 6's dependency on jQuery UI v1.12 (e.g. https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327).

These can be fixed by upgrading jquery-ui-rails to v7.0.0.

There's a slight issue with upgrading in that presently, the jquery-ui-rails gem hasn't got any maintainers who can push it to rubygems.

I believe this can be achieved (at least temporarily) using the GitHub repository's v7.0.0 tag.

n7st avatar Feb 05 '24 16:02 n7st

jquery-ui-rails has a new maintainer who's released version 7.0.0 with the XSS fixes, but it looks like refinerycms-core is locked to version 6.

n7st avatar Apr 18 '24 13:04 n7st