Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: resolve jQuery devDependency CVE #11352

Merged
merged 1 commit into from
Jun 27, 2018
Merged

chore: resolve jQuery devDependency CVE #11352

merged 1 commit into from
Jun 27, 2018

Conversation

ncoden
Copy link
Contributor

@ncoden ncoden commented Jun 26, 2018

Description

Update the internal jQuery version (used for tests) to the latest version to resolve a CVE.

Motivation and Context

This PR resolved a jQuery common vulnerability affecting jQuery < 3.

As Foundation supports jQuery >=2.2.0, the jQuery peer dependency is not changed. PeerDependencies versions in package.json should only reflect the actual compatibility with the package, regardless of promotion or "potential" security issue. It's up to the end developer to choose the package version corresponding to its own needs and to the risks comming with its own usage.

Types of changes

  • Documentation
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing
    functionality to change)

Checklist (all required):

  • I have read and follow the CONTRIBUTING document.
  • There are no other pull request similar to this one.
  • The pull request title is descriptive.
  • The template is fully and correctly filled.
  • The pull request targets the right branch (develop or support/*).
  • My commits are correctly titled and contain all relevant information.
  • My code follows the code style of this project.
  • I have updated the documentation accordingly to my changes (if relevant).
  • I have added tests to cover my changes (if relevant).
  • All new and existing tests passed.

@ncoden
chore: resolve jQuery devDependency CVE
26f0ce5 
Update the internal jQuery version (used for tests) to the latest version to resolve a CVE.

As Foundation supports jQuery `>=2.2.0`, the jQuery peer dependency is not changed. PeerDependencies versions in `package.json` should only reflect the actual compatibility with the package, regardless of promotion or "potential" security issue. It's up to the end developer to choose the package version corresponding to its own needs and to the risks comming with its own usage.
@ncoden ncoden requested a review from DanielRuf June 26, 2018 21:01
@DanielRuf
Copy link
Contributor

Didn't we explicitely set it to 2+ to prevent issues with old setups? And to me it does not seem to be a peerDependency.

@ncoden
Copy link
Contributor Author

ncoden commented Jun 27, 2018

Foundation is compatible with jQuery 2.2.0+ so we rollbacked to >=2.2 for peerDependencies (and dependencies before). We also needed jQuery in devDependencies for development mode (and tests), as peerDependencies are not installed with npm install. However, as we only use this version for internal tests, we don't care about the "real compatibility range". It only matters for peerDependencies.

Anyway with >=2.0.0, npm and Yarn will install the latest compatible version 3.3.1. That's why there is no changes in the lockfiles, we're not changing the actual jQuery version used for test, just the range to prevent an unsecure jQuery version (< 3) to be installed and make dependency watchers happy.

Related to:

@ncoden ncoden merged commit 07696c3 into foundation:develop Jun 27, 2018
@ncoden ncoden added this to the 6.5.0 milestone Jul 6, 2018
ncoden added a commit to ncoden/foundation-sites that referenced this pull request Jul 6, 2018
@ncoden
Use pull request foundation#11352 from ncoden/chore/update-dev-jauery…
6a7343b 
…-against-cve for v6.5.0

26f0ce5 chore: resolve jQuery devDependency CVE

Signed-off-by: Nicolas Coden <nicolas@ncoden.fr>
This was referenced Apr 22, 2020
Open
Open
Merged
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DanielRuf DanielRuf DanielRuf approved these changes

Assignees
No one assigned
Labels
📦 dependencies 💻 maintenance security
Projects
None yet
Milestone
6.5.0
Development

Successfully merging this pull request may close these issues.
2 participants
@ncoden @DanielRuf