I was just reviewing a site using the Sonar tool, and one of the issues it identified is a vulnerable jQuery library version 1.8.3:

jQuery@1.8.3 has 2 known vulnerabilities (2 medium). See https://snyk.io/vuln/npm:jquery for more information.

When I view the settings page for the jQuery Update module on this site, it does not show any minor numbers; I can choose jQuery 1.7 or 1.8 or 1.9 but it does not seem to offer any additional details about which minor version is in use: 1.8.(X)?

Is it possible to associate this module with snyk's vulnerability DB in order to have jQuery Update module inform users when a vulnerable jQuery lib is in use? Or at least show minor numbers somewhere?

NOTE: This is not a security issue with this module, but rather a Feature Request to make security issues with the installed jQuery libs more readily available.

Comments

nerdcore created an issue. See original summary.

nerdcore’s picture

Issue summary: View changes
nerdcore’s picture

Issue summary: View changes
mgifford’s picture

Issue tags: +Security

Google's Lighthouse audit also identifies this as a problem.

mgifford’s picture

Issue summary: View changes
markhalliwell’s picture

Status: Active » Closed (duplicate)
Related issues: +#2939759: Warn users of outdated/insecure jQuery and jQuery UI versions