Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
One of our drupal site's repositories in github, that uses dependabot alerts, raised this critical security warning in /docroot/core/yarn.lock
file.
- jQuery UI Cross-site Scripting when refreshing a checkboxradio with an HTML-like initial text label. Patched version: 1.13.2
Proposed resolution
Please, update these dependencies versions and compile the assets to remove this issue.
Thank you,
Issue fork drupal-3300040
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
jlariza CreditAttribution: jlariza commentedComment #3
cilefen CreditAttribution: cilefen as a volunteer commentedThere is already an issue for Terser. Can you please refocus this issue to jQuery UI by updating the title and summary?
Comment #4
jlariza CreditAttribution: jlariza commentedComment #5
jlariza CreditAttribution: jlariza commented@cilefen Done. Thank you
Comment #8
xjmMR is empty, so removing credit for it.
This will need to be backported to 9.3.x.
Comment #14
xjmPosted MRs for each branch. The 10.0.x MR should also apply to 10.1.x.
Comment #15
xjmBlah @ that test. Should it still exist now that jQuery UI is being maintained upstream?
Comment #17
benjifisherWell, it seems to have been removed in the 10.0.x branch in #3277744: Actually remove deprecated jquery_ui libraries from core. I will not second-guess whether that issue should be back-ported.
Looking at the tests, I think the right thing to do is update the
md5
hashes. It helps to have a text editor that makes macros easy.Comment #18
quietone CreditAttribution: quietone at PreviousNext commentedNow that I have taken the time to learn how to update Javsascript dependencies I practiced with this issue. I made the updates locally for 9.3.x, 9.4.x, 9.5.x, and 10.0.x and made patches. I then compared those results to the corresponding diff for each MR here. In all cases the they were the same with the exception of the changes to the test file, \Drupal\KernelTests\Core\Asset\DeprecatedJqueryUiAssetsTest, which I did not update for each branch. I can confirm then that those updates are are correct.
And then, since the test is passing the hashes updated in #17 are correct. Therefore, going with an RTBC.
Comment #28
lauriiiConfirmed that I got same results running
yarn vendor-update
locally and all looks good. Commited MRs to their respective branches.