rmarkdown
rmarkdown copied to clipboard
Update `jquery-ui` to latest version to mitigate vulnerabilities
Location : rmarkdown/rmd/h/jqueryui/jquery-ui.js
vulnerabilities:
https://nvd.nist.gov/vuln/detail/CVE-2016-7103
https://nvd.nist.gov/vuln/detail/CVE-2021-41182
https://nvd.nist.gov/vuln/detail/CVE-2021-41183
https://nvd.nist.gov/vuln/detail/CVE-2021-41184
https://nvd.nist.gov/vuln/detail/CVE-2022-31160
jquery-ui version fixes these issue: 1.13.2 https://www.npmjs.com/package/jquery-ui
> xfun::session_info('rmarkdown')
R version 4.2.0 (2022-04-22)
Platform: x86_64-conda-linux-gnu (64-bit)
Running under: Red Hat Enterprise Linux 8.6 (Ootpa), RStudio 2022.7.1.554
Locale:
LC_CTYPE=en_US.UTF-8 LC_NUMERIC=C LC_TIME=en_US.UTF-8
LC_COLLATE=en_US.UTF-8 LC_MONETARY=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8
LC_PAPER=en_US.UTF-8 LC_NAME=C LC_ADDRESS=C
LC_TELEPHONE=C LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C
Package version:
base64enc_0.1.3 digest_0.6.29 evaluate_0.16 fastmap_1.1.0 glue_1.6.2
graphics_4.2.0 grDevices_4.2.0 highr_0.9 htmltools_0.5.3 jquerylib_0.1.4
jsonlite_1.8.0 knitr_1.39 magrittr_2.0.3 methods_4.2.0 rlang_1.0.4
rmarkdown_2.11 stats_4.2.0 stringi_1.7.8 stringr_1.4.0 tinytex_0.35
tools_4.2.0 utils_4.2.0 xfun_0.32 yaml_2.3.5
Pandoc version: 2.18
Thanks.
We can probably download latest stable version from https://jqueryui.com/download/
@yihui FWIW shiny uses already one version above the one in rmarkdown https://github.com/rstudio/shiny/tree/main/inst/www/shared/jqueryui
Upgrading to latest should be ok, or we could sync to the Shiny one.
Do you know what the UI used for ? It goes with JQuery feature right ?
Also most of the CVE linked here are under reassessment from what I can see opening the link.
AFAIK, we use jQuery UI only for floating TOC in html_document
. It was added by JJ several years ago: bbdcc644d328f00fdd102cf71b886e1e864662be (because tocify.js
requires it).
Ok so updating would require to check that tocify.js still works as expected without any updating also. Always tricky to update JS dependencies 😅
Verifying if floating TOC works with a higher version of jQuery UI may be easy. I think the much worse thing is that tocify.js
is no longer maintained, and we are still using a version from 7 years ago...
Oh that is a bummer. Rules of Open Source world.
Maybe we should move from tocify.js and recreate using Lua filter + HTML / JS / CSS. Not trivial work but could be worth doing since unmaintained anyway
Yes, if possible and time permits.