Problem/Motivation

The DropzoneJS library located in libraries/dropzone/ is still built with an outdated JavaScript tool-chain that carries known CVEs:

  • webpack 5.23.0 — CVE-2023-28154 (Critical)
  • terser ≤ 5.6 — CVE-2022-25858 (High)
  • postcss ≤ 8.2.6 — CVE-2021-23382 (High)
  • loader-utils 1.4 / 2.0 — CVE-2022-37599 / 37603 (High)
  • json5 ≤ 2.2.0 — CVE-2022-46175 (High)

These packages are build-time dependencies, so the runtime risk is not severe, but modernizing them removes security alerts and future-proofs the codebase.

Steps to reproduce

  1. Inspect web/libraries/dropzone/yarn.lock.
  2. Note the versions listed above.
  3. Run any vulnerability scanner; the CVEs are flagged.

Proposed resolution

  1. Bump DropzoneJS to the latest 6.x tag (currently 6.1.0).
  2. Run yarn install && yarn build with:
    • webpack ≥ 5.76.0
    • terser ≥ 5.14.2
    • postcss ≥ 8.4.37
    • loader-utils ≥ 2.0.4
    • json5 ≥ 2.2.2
  3. Commit the regenerated /dist assets and updated yarn.lock.

Remaining tasks

  • Create a patch/MR updating package.json and yarn.lock.
  • Re-build assets and commit the new /dist.
  • Smoke-test drag-and-drop uploads (Media Library, entity browser).
  • Tag a new 2.x release once verified.

User interface changes

None expected—the Dropzone widget should behave identically.

API changes

None.

Data model changes

None.

Issue fork dropzonejs-3559310

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

drupalam created an issue.

fpoirier’s picture

fpoirier commented

Anyone has a patch to share by any chance ?

dkmishra made their first commit to this issue’s fork.