jquery-3.4.1 contains vulnerabilities please upgrade to 3.5.1

[codearrangertoo]

https://snyk.io/vuln/npm:[email protected]

https://github.com/simplecov-ruby/simplecov-html/blob/main/assets/javascripts/libraries/jquery-3.4.1.js

https://code.jquery.com/jquery-3.5.1.js

[PragTob]

Hi, thanks for letting us know and we'll upgrade but as these are XSS vulnerabilities you'd need to look at somebody else's malicious code (as that's the user input we got) if that is even affected by this, or am I missing another attack vector here?

[codearrangertoo]

@PragTob It doesn't seem to matter to our vulnerability scanner how it is used. Just that it is there and the code is flagged as vunlerable. :(

[PragTob]

Of course it doesn't matter for it :D So, your problem is more that your security scanner nags you about it than the actual security risk.

[snarfmason]

@PragTob hey, if I made a PR to update to jquery 3.5.1 would you accept the patch?

[neilsy]

@PragTob I've made a PR to update the emdbedded jquery here: https://github.com/simplecov-ruby/simplecov-html/pull/115 I am not quite sure the process for contributing... I did run simplecov tests with the updated simplecov-html gem loaded from my local code. I also tested with my own code, generating a full coverage report on a suite of tests.

[neilsy]

@PragTob Do you have time to check this out? #115 It would help my team a lot if we could comply with my company's security policies without begging for exceptions! Probably there are many others in the same boat now, with off-the-shelf scans becoming standard.