vulnerability found with jquery ^3.3.1

[sukrut-gs]

vulnerability found with jquery ^3.3.1. Kindly upgrade to 3.5.0. The report says

Regex in its jQuery.htmlPrefilter sometimes may introduce XSS.

[sukrut-gs]

https://snyk.io/test/npm/jquery/3.3.1

[sukrut-gs]

@GerwinBosch when you are releasing this change..?

[GerwinBosch]

@sukrut-gs Sorry, give me 5 minutes

[sukrut-gs]

ok. cool

[GerwinBosch]

New version should be available now

[sukrut-gs]

yeah.. thanks.

[sukrut-gs]

Hey still getting

node_modules/@triply/yasr/build/yasr.min.js

Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

@GerwinBosch

[sukrut-gs]

@GerwinBosch in yasgui.min.js and yasr.min.js it is still using 3.4.1 I think S.extend({expando:"jQuery"+("3.4.1"+Math.random()).replace(/\D/g,"")

[GerwinBosch]

It seems that some of the visualization plugins use an older version of jquery, run yarn why jquery.

Could you check if upgrading these packages would resolve the issue?

[sukrut-gs]

I got this => Found "datatables.net-dt#jquery@3.4.1" info This module exists because "@triply#yasgui#@triply#yasr#datatables.net-dt" depends on it. => Found "datatables.net#jquery@3.4.1" info This module exists because "@triply#yasgui#@triply#yasr#datatables.net" depends on it. => Found "pivottable#jquery@3.4.1" info This module exists because "@triply#yasgui#@triply#yasr#pivottable" depends on it.

[sukrut-gs]

Data tables have released newer version 2 days back. https://github.com/DataTables/Dist-DataTables-DataTables/blob/master/package.json But they are still using "jquery": ">=1.7" @GerwinBosch

[GerwinBosch]

Yep, that is similar to what I got, does updating those three packages resolve the issue?

[sukrut-gs]

I do not think.. because if you see datatables still uses jQuery >=1.7

[GerwinBosch]

In that case I'd look for a different plugin, however that's a lot more work then just updating some packages. @LaurensRietveld do you have any input?