yii2-jui icon indicating copy to clipboard operation
yii2-jui copied to clipboard

Published 20 hours ago verified publisher icon yiisoft

Package pulls in unsafe version of jQuery UI, upgrade not (easily) possible

Open flaviovs opened this issue 2 years ago • 0 comments

What steps will reproduce the problem?

Install yii2-jui.

What's expected?

A safe version of Jquery UI pulled in as dependency, or the ability to upgrade that package to a safer version.

What do you get instead?

  • jQuery UI 1.12.1 which has several known security vulnerabilities
  • The inability to upgrade using Composer because:
    • yii2-jui pins jQuery UI to 1.12.1
    • A safe version (1.13.*) is not available in https://asset-packagist.org/ (although a fixed version is available as npm-asset/jquery-ui).

flaviovs avatar Oct 18 '23 01:10 flaviovs