Javascript injection into server vulnerability was discovered in happy-dom package. This package has resolved the vulnerability in version 15.10.2 but the dependency of universal viewer that uses happy-dom has not yet updated their version. IIIF-AV-Component is still on v6.0.4 of happy-dom as of it's latest release and there are no open issues or PRs that address this issue.
Acceptance Criteria
Resolve happy-dom security vulnerability by:
[ ] Create pull request to update happy-dom version on iiif-av-component repo.
[ ] Work with the community to cut a new release of iiif-av-component
[ ] Work with the community to cut a new release of universal viewer that uses the newer iiif-av-component.
[ ] Update DCS blacklight to new release of universal viewer
Engineering Notes
It may be advantageous to work towards back porting the change to older releases so we do not have to rush to upgrade any packages that may involve breaking changes.
Summary
Javascript injection into server vulnerability was discovered in
happy-dompackage. This package has resolved the vulnerability in version 15.10.2 but the dependency of universal viewer that useshappy-domhas not yet updated their version. IIIF-AV-Component is still on v6.0.4 ofhappy-domas of it's latest release and there are no open issues or PRs that address this issue.Acceptance Criteria
Resolve
happy-domsecurity vulnerability by:happy-domversion on iiif-av-component repo.Engineering Notes
It may be advantageous to work towards back porting the change to older releases so we do not have to rush to upgrade any packages that may involve breaking changes.
https://github.com/yalelibrary/yul-dc-blacklight/security/dependabot/251 https://github.com/IIIF-Commons/iiif-av-component/blob/v1.2.4/package.json https://github.com/UniversalViewer/universalviewer/blob/main/package-lock.json#L275