mgol
commented
2 months ago Thanks for the report. However, exposing the current library version is a well established practice and some libraries may even depend on that version being exposed. The additional security risk is negligible - there are not that many jQuery versions around and the attacker can just assume a version allowing a certain attack is installed and perform the attach - at worse, it will just fail. Also, differences between jQuery versions can be detected just by running some tests. Hiding the version won't achieve much here.
If you're running a custom jQuery build, you can set the version by yourself:
npm run build -- --version=5.1.2
As documented at https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/version-disclosure-jquery/. JQuery makes its version accessible to the user through a browser's developer tools.
Is there any way to configure readact to remove this information, or is it possible that it is not required and can be removed from JQuery?