search

sphinx-doc / sphinx

The Sphinx documentation generator
https://www.sphinx-doc.org/
Other
6.54k stars 2.12k forks source link

When is the next Sphinx release that will contain the latest jquery 3.6.0? #9974

Closed dmpz23 closed 2 years ago

dmpz23 commented 2 years ago

Describe the bug

Our software team is using Sphinx 4.3.1 to generate python api docs. Our cybersecurity team is stating that we are using an outdated version of jquery (version 3.5.1) and the outdated version is a security vulnerability.

jquery3.5.1.js is located in the html_static folder.

When will Sphinx upgrade to jquery 3.6.0?

The last time that Sphinx updated its jquery file was in May 2020.

Release 3.0.4 (released May 27, 2020) Bugs fixed

7696: html: Updated jQuery version from 3.4.1 to 3.5.1 for security reasons

Thanks in advance, Dan

How to Reproduce

Generate html from Sphinx 4.3.1 and inspect the \html_static folder for jquery-3.5.1.js.

Expected behavior

A future Sphinx release will generate html files that contain jquery-3.6.0.js in the \html_static folder.

Your project

none

Screenshots

No response

OS

Windows 10

Python version

3.7x

Sphinx version

4.3.1

Sphinx extensions

No response

Extra tools

No response

Additional context

No response

astrojuanlu commented 2 years ago

There are plans to drop jQuery, see #7405 and #9874

tk0miya commented 2 years ago

Thank you for letting us know. No reason to keep it old. Let's upgrade.

BTW, the release blog entry says jquery-3.6.0 does not include a security fix.

This release does not include a security fix, but does have some good bug fixes and improvements. https://blog.jquery.com/2021/03/02/jquery-3-6-0-released/

Could you ask about the security vulnerability to your cybersecurity team, please? I'd like to upgrade it on v4.3.2 ASAP if jquery-3.5.1 contains a security problem. If not, I'll upgrade it on v4.4.0.

dmpz23 commented 2 years ago

@tk0miya - Yes I will ask about the security vulnerability and let you know. Stay tuned. Dan

dmpz23 commented 2 years ago

The security vulnerability is described as: jQuery contains commented references to the hijacked domain blindsignals, within the files src/queue/delay.js and test/data/jquery-1.9.1.js (the former referring to a Web Archive version of the original site). Users without awareness of the domain's status could be exposed to unspecified attacks if they attempt to follow the links to the hijacked site.

Since jquery-3.6.0 does not fix this issue, it seems we have to wait for jquery to come up with a fix and then incorporate that into Sphinx.

tk0miya commented 2 years ago

Thank you for detailed info. I found an issue for it: https://github.com/jquery/jquery/issues/4981 I'll update the bundled jQuery after released.