Problem/Motivation

One of our drupal site's repositories in github, that uses dependabot alerts, raised this critical security warning in /docroot/core/yarn.lock file.

  • jQuery UI Cross-site Scripting when refreshing a checkboxradio with an HTML-like initial text label. Patched version: 1.13.2

Proposed resolution

Please, update these dependencies versions and compile the assets to remove this issue.

Thank you,

Issue fork drupal-3300040

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jlariza created an issue. See original summary.

jlariza’s picture

Issue summary: View changes
cilefen’s picture

Category: Bug report » Task
Issue tags: -Yarn
Related issues: +#3296481: Update terser and terser-webpack-plugin to the latest versions

There is already an issue for Terser. Can you please refocus this issue to jQuery UI by updating the title and summary?

jlariza’s picture

Title: yarn libraries using insecure versions » Update jQuery UI to the latest versions
Issue summary: View changes
jlariza’s picture

@cilefen Done. Thank you

g_miric made their first commit to this issue’s fork.

xjm’s picture

Version: 9.4.x-dev » 9.3.x-dev

MR is empty, so removing credit for it.

This will need to be backported to 9.3.x.

xjm’s picture

Status: Active » Needs review

Posted MRs for each branch. The 10.0.x MR should also apply to 10.1.x.

xjm’s picture

Status: Needs review » Needs work

Blah @ that test. Should it still exist now that jQuery UI is being maintained upstream?

benjifisher made their first commit to this issue’s fork.

benjifisher’s picture

Blah @ that test. Should it still exist now that jQuery UI is being maintained upstream?

Well, it seems to have been removed in the 10.0.x branch in #3277744: Actually remove deprecated jquery_ui libraries from core. I will not second-guess whether that issue should be back-ported.

Looking at the tests, I think the right thing to do is update the md5 hashes. It helps to have a text editor that makes macros easy.

quietone’s picture

Status: Needs work » Reviewed & tested by the community

Now that I have taken the time to learn how to update Javsascript dependencies I practiced with this issue. I made the updates locally for 9.3.x, 9.4.x, 9.5.x, and 10.0.x and made patches. I then compared those results to the corresponding diff for each MR here. In all cases the they were the same with the exception of the changes to the test file, \Drupal\KernelTests\Core\Asset\DeprecatedJqueryUiAssetsTest, which I did not update for each branch. I can confirm then that those updates are are correct.

And then, since the test is passing the hashes updated in #17 are correct. Therefore, going with an RTBC.

  • lauriii committed 084ff93 on 10.1.x
    Issue #3300040 by xjm, benjifisher, jlariza, cilefen, quietone: Update...

  • lauriii committed a72dcea on 10.0.x
    Issue #3300040 by xjm, benjifisher, jlariza, cilefen, quietone: Update...

  • lauriii committed 1af3161 on 9.5.x
    Issue #3300040 by xjm, benjifisher, jlariza, cilefen, quietone: Update...

  • lauriii committed 0490106 on 9.4.x
    Issue #3300040 by xjm, benjifisher, jlariza, cilefen, quietone: Update...

  • lauriii committed fd24dca on 9.3.x
    Issue #3300040 by xjm, benjifisher, jlariza, cilefen, quietone: Update...

lauriii’s picture

Status: Reviewed & tested by the community » Fixed

Confirmed that I got same results running yarn vendor-update locally and all looks good. Commited MRs to their respective branches.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.