Closed jgarland79 closed 4 days ago
PragTob
commented
3 years ago Hi, thanks for letting us know and we'll upgrade but as these are XSS vulnerabilities you'd need to look at somebody else's malicious code (as that's the user input we got) if that is even affected by this, or am I missing another attack vector here?
jgarland79
commented
3 years ago @PragTob It doesn't seem to matter to our vulnerability scanner how it is used. Just that it is there and the code is flagged as vunlerable. :(
PragTob
commented
3 years ago Of course it doesn't matter for it :D So, your problem is more that your security scanner nags you about it than the actual security risk.
snarfmason
commented
3 years ago @PragTob hey, if I made a PR to update to jquery 3.5.1 would you accept the patch?
neilsy
commented
2 years ago @PragTob I've made a PR to update the emdbedded jquery here: https://github.com/simplecov-ruby/simplecov-html/pull/115 I am not quite sure the process for contributing... I did run simplecov tests with the updated simplecov-html gem loaded from my local code. I also tested with my own code, generating a full coverage report on a suite of tests.
neilsy
commented
2 years ago @PragTob Do you have time to check this out? #115 It would help my team a lot if we could comply with my company's security policies without begging for exceptions! Probably there are many others in the same boat now, with off-the-shelf scans becoming standard.
https://snyk.io/vuln/npm:jquery@3.4.1
https://github.com/simplecov-ruby/simplecov-html/blob/main/assets/javascripts/libraries/jquery-3.4.1.js
https://code.jquery.com/jquery-3.5.1.js