rmarkdown icon indicating copy to clipboard operation
rmarkdown copied to clipboard

Published 20 hours ago verified publisher icon rstudio

Update `jquery-ui` to latest version to mitigate vulnerabilities

Open mahesh2013 opened this issue 1 year ago • 7 comments

Location : rmarkdown/rmd/h/jqueryui/jquery-ui.js vulnerabilities: https://nvd.nist.gov/vuln/detail/CVE-2016-7103 https://nvd.nist.gov/vuln/detail/CVE-2021-41182
https://nvd.nist.gov/vuln/detail/CVE-2021-41183
https://nvd.nist.gov/vuln/detail/CVE-2021-41184
https://nvd.nist.gov/vuln/detail/CVE-2022-31160

jquery-ui version fixes these issue: 1.13.2 https://www.npmjs.com/package/jquery-ui

> xfun::session_info('rmarkdown')
R version 4.2.0 (2022-04-22)
Platform: x86_64-conda-linux-gnu (64-bit)
Running under: Red Hat Enterprise Linux 8.6 (Ootpa), RStudio 2022.7.1.554

Locale:
  LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C               LC_TIME=en_US.UTF-8       
  LC_COLLATE=en_US.UTF-8     LC_MONETARY=en_US.UTF-8    LC_MESSAGES=en_US.UTF-8   
  LC_PAPER=en_US.UTF-8       LC_NAME=C                  LC_ADDRESS=C              
  LC_TELEPHONE=C             LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C       

Package version:
  base64enc_0.1.3 digest_0.6.29   evaluate_0.16   fastmap_1.1.0   glue_1.6.2     
  graphics_4.2.0  grDevices_4.2.0 highr_0.9       htmltools_0.5.3 jquerylib_0.1.4
  jsonlite_1.8.0  knitr_1.39      magrittr_2.0.3  methods_4.2.0   rlang_1.0.4    
  rmarkdown_2.11  stats_4.2.0     stringi_1.7.8   stringr_1.4.0   tinytex_0.35   
  tools_4.2.0     utils_4.2.0     xfun_0.32       yaml_2.3.5     

Pandoc version: 2.18

mahesh2013 avatar Aug 25 '22 18:08 mahesh2013

Thanks.

We can probably download latest stable version from https://jqueryui.com/download/

@yihui FWIW shiny uses already one version above the one in rmarkdown https://github.com/rstudio/shiny/tree/main/inst/www/shared/jqueryui

Upgrading to latest should be ok, or we could sync to the Shiny one.

Do you know what the UI used for ? It goes with JQuery feature right ?

cderv avatar Aug 26 '22 13:08 cderv

Also most of the CVE linked here are under reassessment from what I can see opening the link.

cderv avatar Aug 26 '22 13:08 cderv

AFAIK, we use jQuery UI only for floating TOC in html_document. It was added by JJ several years ago: bbdcc644d328f00fdd102cf71b886e1e864662be (because tocify.js requires it).

yihui avatar Aug 26 '22 14:08 yihui

Ok so updating would require to check that tocify.js still works as expected without any updating also. Always tricky to update JS dependencies 😅

cderv avatar Aug 26 '22 14:08 cderv

Verifying if floating TOC works with a higher version of jQuery UI may be easy. I think the much worse thing is that tocify.js is no longer maintained, and we are still using a version from 7 years ago...

yihui avatar Aug 26 '22 14:08 yihui

Oh that is a bummer. Rules of Open Source world.

Maybe we should move from tocify.js and recreate using Lua filter + HTML / JS / CSS. Not trivial work but could be worth doing since unmaintained anyway

cderv avatar Aug 26 '22 14:08 cderv

Yes, if possible and time permits.

yihui avatar Aug 26 '22 15:08 yihui