Hi Jacques, As far as I can tell if OFBIZ-11960 is backported we will end up with jquery-validation v1.19.0 (themes/common-theme/webapp/common/js/jquery/plugins/validate/jquery.validate.js). Does this version also have the security issue? If so then backporting OFBIZ-11960 won't result in secure javascript libraries.
If v1.19.0 does not suffer the same security issue then we can update themes/common-theme/webapp/common/js/package.json to retrieve that particular version. Thanks, Dan. On Sat, 16 Oct 2021 at 18:03, Jacques Le Roux <jacques.le.r...@les7arts.com> wrote: > Hi, > > Thanks for Aditya's work at OFBIZ-11960 < > https://issues.apache.org/jira/browse/OFBIZ-11960> "Use NPM with gradle > to get external JS dependencies" > (thks also to Daniel's commit) and Dependabot installed at GH I have been > warned about this vulnerability. It did not reach comm...@ofbiz.apache.org > because of a bug I reported at INFRA-22418 < > https://issues.apache.org/jira/browse/INFRA-22418>. > > If nobody objects I'll backport the work done for OFBIZ-11960 because it > will secure our js libs usage > > Jacques > > > -- Daniel Watford