(ofbiz-plugins) branch release24.09 updated: Fixed: jsgantt-improved bloks qs.js update (OFBIZ-13339)

Wed, 21 Jan 2026 02:19:11 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new 3ebc51f37 Fixed: jsgantt-improved bloks qs.js update (OFBIZ-13339)
3ebc51f37 is described below

commit 3ebc51f37682ba0d01a3e33eacc396410f249968
Author: Jacques Le Roux <[email protected]>
AuthorDate: Wed Jan 21 11:18:01 2026 +0100

    Fixed: jsgantt-improved bloks qs.js update (OFBIZ-13339)
    
    Because of this vulnerability we are temporarily disabling the
    projectmgr/control/ganttChart feature
---
 projectmgr/template/project/GanttChart.ftl        | 25 +++++++++++++++++++++--
 projectmgr/webapp/projectmgr/static/projectmgr.js |  2 +-
 projectmgr/widget/ProjectScreens.xml              |  4 ++--
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/projectmgr/template/project/GanttChart.ftl 
b/projectmgr/template/project/GanttChart.ftl
index 2fc1929dd..f5567cb36 100644
--- a/projectmgr/template/project/GanttChart.ftl
+++ b/projectmgr/template/project/GanttChart.ftl
@@ -22,8 +22,29 @@ under the License.
 
 <input id="ofbizGantItemsJson" type="hidden" value="${phaseTaskListJson}"/>
 
-<#-- Commented out because qs.js has a transitive issue due to request.js. See 
https://issues.apache.org/jira/browse/OFBIZ-13339 for details
+<#-- Commented out because qs.js has a transitive vulnerability due to 
request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 for details
 <script type="text/javascript" 
src="/projectmgr/node_modules/jsgantt-improved/dist/jsgantt.js"></script>
 <script type="text/javascript" src="/projectmgr/static/projectmgr.js"></script>
 -->
-This has for now been Commented out because qs.js has a transitive issue due 
to request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 for details
+This has for now been Commented out because qs.js has a transitive 
vulnerability due to request.js.
+<br>
+See <a href="https://issues.apache.org/jira/browse/OFBIZ-13339 for 
details">https://issues.apache.org/jira/browse/OFBIZ-13339 for details</a>
+<br><br>
+The latest possible version that can be installed is 6.5.3 because of the 
following conflicting dependencies:
+<br>
[email protected] requires qs@~6.5.2 via a transitive dependency on 
[email protected]
+<br>
+No patched version available for qs
+<br>
+The earliest fixed version is 6.14.1.
+<br><br>
+For details see.
+<br>
+<a 
href="https://github.com/advisories/GHSA-6rw7-vpxm-498p";>https://github.com/advisories/GHSA-6rw7-vpxm-498p</a>
+<br>
+<a 
href="https://github.com/apache/ofbiz-plugins/network/updates/1194761905";>https://github.com/apache/ofbiz-plugins/network/updates/1194761905</a>
+<br>
+<a 
href="https://github.com/jsGanttImproved/jsgantt-improved/issues/384";>https://github.com/jsGanttImproved/jsgantt-improved/issues/384</a>
+<br>
+<br>
+If you feel it's ok with you (e.g. totally secured Internet access, or rather 
no access at all which is safer!) you may uncomment and use.
diff --git a/projectmgr/webapp/projectmgr/static/projectmgr.js 
b/projectmgr/webapp/projectmgr/static/projectmgr.js
index 48090245e..c64911a68 100644
--- a/projectmgr/webapp/projectmgr/static/projectmgr.js
+++ b/projectmgr/webapp/projectmgr/static/projectmgr.js
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-/* - Commented out because qs.js has a transitive issue due to request.js. See 
https://issues.apache.org/jira/browse/OFBIZ-13339 for details
+/* - Commented out because qs.js has a transitive vulnerabily due to 
request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 for details
 
 const ganttItemsJson = document.getElementById("ofbizGantItemsJson").value;
 const ganttItems = JSON.parse(ganttItemsJson);
diff --git a/projectmgr/widget/ProjectScreens.xml 
b/projectmgr/widget/ProjectScreens.xml
index 5a8f5d1bb..c1f7649d1 100644
--- a/projectmgr/widget/ProjectScreens.xml
+++ b/projectmgr/widget/ProjectScreens.xml
@@ -424,7 +424,7 @@ under the License.
             <actions>
                 <set field="titleProperty" value="ProjectMgrGanttChart"/>
                 <set field="tabButtonItem" value="ganttchart"/>
-                <!-- Commented out because qs.js has a transitive issue due to 
request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 for details
+                <!-- Commented out because qs.js has a transitive vulnerabily 
due to request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 for 
details
                 <set field="layoutSettings.styleSheets[]" 
value="/projectmgr/node_modules/jsgantt-improved/dist/jsgantt.css" 
global="true"/>
                  -->
                 <set field="layoutSettings.styleSheets[]" 
value="/projectmgr/static/projectmgr.css" global="true"/>
@@ -982,7 +982,7 @@ under the License.
         <section>
             <actions>
                 <property-map resource="ProjectMgrUiLabels" 
map-name="uiLabelMap" global="true"/>
-                <!-- - Commented out because qs.js has a transitive issue due 
to request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 for details
+                <!-- - Commented out because qs.js has a transitive 
vulnerabily due to request.js. See 
https://issues.apache.org/jira/browse/OFBIZ-13339 for details
                 <set field="layoutSettings.styleSheets[]" 
value="/projectmgr/node_modules/jsgantt-improved/dist/jsgantt.css" 
global="true"/>
                  -->
                 <set field="layoutSettings.styleSheets[]" 
value="/projectmgr/static/projectmgr.css" global="true"/>

Reply via email to