JQuery 1.12.4 (with vuln) loaded by default

[mduleone]

The version of jQuery loaded by default on all (frontend, backend) Solidus apps is version 1.12.4, as that is the version that jquery-rails loads when requiring simply jquery. This version has several known security vulnerabilities. The use of jQuery 1.12.4 was recently flagged for us as a security vulnerability, and was a surprise, as we don't use that version of jQuery.

A simple fix might be to update to jquery3 in all places where jquery is required, but we are unsure if this will have broader consequences. Also, we were unsure if this was on your radar, as it seems to be a simple thing to miss.

Solidus Version:

Latest

To Reproduce

Generate a new Solidus app, see the jquery version pulled in

[jarednorman]

Thanks for pointing this out!

[mduleone]

@jarednorman has there been any movement or attempt at resolution to this?

[jarednorman]

Not that I know of. We should definitely upgrade and I suspect it wouldn't be too difficult, but I think only the first two could realistically affect the app, and we audited the code in the early days after the fork when we found an XSS vulnerability that was similar but involved select2.

[rabbitbike]

I would like to report that I had to update to jquery3 in order to pass a PCI vulnerability scan. I am using SecureTrust's vulnerability scan tool and it reported a few items that called for jQuery v3.5 or above. These items make the vulnerability scan to fail.

It will be nice if the jQuery version gets updated to a recent, supported version so new users of solidus will not have to face the same issue.

[cesartalves]

@cpfergus1 seems to have fixed this already. @kennyadsl I would assume it is safe to close this issue.