Security : vulnerability on jquery #45
Comments
|
@jamesls - I know this package isn't actively maintained, but any update on this? I'd be happy to make the change myself if you could grant contributor access. |
|
jQuery isn't used. No action is needed here. |
|
@darrenmothersele There's an
|
|
This is still an issue. It doesn't get flagged in NPM - but it gets flagged in security scans. And this library is a dependency of the AWS-SDK - so it's challenging to work around. Does this index.html even need to be in the npm package? It's not part of source. |
Merged
|
#62 has been merged and a 0.16.0 release has been published with this fix. |
1 task
rathD01
added a commit
to rathD01/jmespath.js
that referenced
this issue
Feb 11, 2022
Could we please update this? bower.json -->jmespath.js to 0.16.0 It may resolve the jmespath#45 issue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version of jquery bellow 3.0.0 are vulnerables to XSS injection.
The index.html does require a lower version of jquery making the module vulnerable.
ID : CVE-2015-9251
CVSS Score : 6.1
Description : jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Origin : jmespath dependency
The text was updated successfully, but these errors were encountered: