Details
Description
jquery 1.11.1 is affected by a CVE:
https://www.cvedetails.com/cve/CVE-2016-7103/
This triggers some warnings in tools that check for known security issues in dependencies.
Note that I do not know whether this actually manifests as a security problem for Spark. But, we can easily update to 1.12.4 (latest 1.x version) to resolve it.
(Note that https://www.cvedetails.com/cve/CVE-2015-9251/ seems to have been fixed in 1.12 but then unfixed, so this may require a much bigger jump to jquery 3.x if it's a problem; leaving that until later.)
Along the way we will want to update jquery datatables to 1.10.18 to match jquery 1.12.4.
Relatedly, jquery mustache 0.8.1 also has a CVE: https://snyk.io/test/npm/mustache/0.8.2
I propose to update to 2.3.12 (latest 2.x) to resolve it.
Although targeted for 3.0, I believe this is back-port-able to 2.4.x if needed, assuming we find no UI issues.
Attachments
Issue Links
- links to