IT just sent us the latest vulnerability report. Two dependencies need updating.

[childers]

Hi all,

Our security team just flagged us for having outdated jQuery and Bootstrap.js. Specifically, here are two excerpts from the vulnerability report. There were a few different hits returned for jQuery.

Bootstrap: According to its self-reported version number, Bootstrap is 3.x prior 3.4.1 or 4.x prior to 4.3.1. Therefore, it may be affected by a Cross-Site Scripting (XSS) vulnerability via data-template attribute for tooltip and popover plugins.

jQuery: According to its self-reported version number, jQuery is at least 1.2.0 and prior to 3.5.0. Therefore, it may be affected by a cross-site scripting vulnerability via the regex operation in jQuery.htmlPrefilter.

[garrettjstevens]

Some notes about where this fix would need to go if anyone takes this on:

• There is a jQuery dependency in the apollo-jbrowse-plugin, see client/apollo/package.json
• There is vendored jQuery code in the grails app that gwt uses: grails-app/assets/javascripts/vendor
• There is vendored bootstrap code in the grails app that gwt uses: grails-app/assets/javascripts/vendor