I was just reviewing a site using the Sonar tool, and one of the issues it identified is a vulnerable jQuery library version 1.8.3:
jQuery@1.8.3 has 2 known vulnerabilities (2 medium). See https://snyk.io/vuln/npm:jquery for more information.
When I view the settings page for the jQuery Update module on this site, it does not show any minor numbers; I can choose jQuery 1.7 or 1.8 or 1.9 but it does not seem to offer any additional details about which minor version is in use: 1.8.(X)?
Is it possible to associate this module with snyk's vulnerability DB in order to have jQuery Update module inform users when a vulnerable jQuery lib is in use? Or at least show minor numbers somewhere?
NOTE: This is not a security issue with this module, but rather a Feature Request to make security issues with the installed jQuery libs more readily available.
Comments
Comment #2
nerdcore commentedComment #3
nerdcore commentedComment #4
mgiffordGoogle's Lighthouse audit also identifies this as a problem.
Comment #5
mgiffordComment #6
markhalliwell