ui icon indicating copy to clipboard operation
ui copied to clipboard
verified publisher icon structurizr

Outdated frontend dependencies include CVEs

Open AnsgarH1 opened this issue 6 months ago • 2 comments

Expected

Frontend dependencies are included from recent CDN versions or with a package manager, as well as use the latest major version. Best case would be that some tooling like renovate keeps them up to date.

Actual

The hardcoded frontend dependencies in src/static.html are multiple major versions outdated, and esp. the bootstrap dependency contains CVEs which get flagged in our SAST tooling.

Steps to reproduce

Analyze the static export of any diagram by any SAST tool.

Version/build information

structurizr-cli: 2025.05.28 structurizr-java: 4.1.0 Java: 24.0.1/Homebrew (/opt/homebrew/Cellar/openjdk/24.0.1/libexec/openjdk.jdk/Contents/Home) OS: Mac OS X 15.4.1 (aarch64)

Severity

Critical

Priority

Low (I'm willing to make a pull request - please confirm approach first)

More information

No response

AnsgarH1 avatar Jul 15 '25 12:07 AnsgarH1

@simonbrowndotje any response would be great. I am willing to help out with a PR.

AnsgarH1 avatar Aug 01 '25 09:08 AnsgarH1

I've updated Bootstrap, but that's about all that I can do at the moment unfortunately. Backbone and Lodash will disappear with an upgrade to JointJS 4.x, but that's a much bigger task as there are breaking changes that cause the diagram renderer to stop working.

simonbrowndotje avatar Aug 02 '25 09:08 simonbrowndotje