stweil
commented
2 months ago @solth, I think that jquery code from 2016 with unclear origin might be tagged as security bug. It is not only an improvement.
Open stweil opened 4 months ago
stweil
commented
2 months ago @solth, I think that jquery code from 2016 with unclear origin might be tagged as security bug. It is not only an improvement.
Erikmitk
commented
2 months ago I don't know how to document that properly in this setting but the modeler_min.js is an artifact from building the workflow editor which I maintain. It's not the most up-to-date version though.
There were some slight changes with async-method calls which break the integration in Kitodo.Production. My outstanding ToDo is fix that and move the repo into the Kitodo organization. I agree that the situation is not ideal!
stweil
commented
2 months ago Thanks @Erikmitk. I think it would be sufficient to write more verbose commit messages which refer to the source URL as soon as the .js files get their next update.
The source code contains these files with minimized JavaScript code:
Both files come from external sources which are not clearly documented (neither the Git history nor the documentation give information on the URL which was used to download that code).
According to the Git history, jquery-2.1.1.min.js is from 2016. This very old code might contain security issues.
Both files should be clearly documented as external dependencies, ideally in a way which allows to get automated warnings from GitHub's Dependabot or similar tools if they need updates. It must also be possible to replace the minimized code by full code, for example in debug and development environments.
Maybe existing packages from the Linux distribution can be used for JQuery which would allow removing that code from the source tree.