Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-27358

Update jquery to 1.12.x to pick up security fixes

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0
    • Fix Version/s: 2.3.4, 2.4.2, 3.0.0
    • Component/s: Web UI
    • Labels:
      None
    • Target Version/s:

      Description

      jquery 1.11.1 is affected by a CVE:
      https://www.cvedetails.com/cve/CVE-2016-7103/

      This triggers some warnings in tools that check for known security issues in dependencies.
      Note that I do not know whether this actually manifests as a security problem for Spark. But, we can easily update to 1.12.4 (latest 1.x version) to resolve it.

      (Note that https://www.cvedetails.com/cve/CVE-2015-9251/ seems to have been fixed in 1.12 but then unfixed, so this may require a much bigger jump to jquery 3.x if it's a problem; leaving that until later.)

      Along the way we will want to update jquery datatables to 1.10.18 to match jquery 1.12.4.

      Relatedly, jquery mustache 0.8.1 also has a CVE: https://snyk.io/test/npm/mustache/0.8.2

      I propose to update to 2.3.12 (latest 2.x) to resolve it.

      Although targeted for 3.0, I believe this is back-port-able to 2.4.x if needed, assuming we find no UI issues.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                srowen Sean R. Owen
                Reporter:
                srowen Sean R. Owen
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: