[SPARK-27358] Update jquery to 1.12.x to pick up security fixes - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0
Fix Version/s: 2.3.4, 2.4.2, 3.0.0
Component/s: Web UI
Labels:
None

Target Version/s:

3.0.0

Description

jquery 1.11.1 is affected by a CVE:
https://www.cvedetails.com/cve/CVE-2016-7103/

This triggers some warnings in tools that check for known security issues in dependencies.
Note that I do not know whether this actually manifests as a security problem for Spark. But, we can easily update to 1.12.4 (latest 1.x version) to resolve it.

(Note that https://www.cvedetails.com/cve/CVE-2015-9251/ seems to have been fixed in 1.12 but then unfixed, so this may require a much bigger jump to jquery 3.x if it's a problem; leaving that until later.)

Along the way we will want to update jquery datatables to 1.10.18 to match jquery 1.12.4.

Relatedly, jquery mustache 0.8.1 also has a CVE: https://snyk.io/test/npm/mustache/0.8.2

I propose to update to 2.3.12 (latest 2.x) to resolve it.

Although targeted for 3.0, I believe this is back-port-able to 2.4.x if needed, assuming we find no UI issues.

Attachments

Issue Links

links to

GitHub Pull Request #24288

Activity

People

Assignee:: Sean R. Owen

Reporter:: Sean R. Owen

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 03/Apr/19 21:10

Updated:: 05/Apr/19 18:04

Resolved:: 05/Apr/19 18:04