Hi Jacques, In order to resolve this we should also remove the dependency on jsgantt-improved from https://github.com/apache/ofbiz-plugins/blob/trunk/projectmgr/webapp/projectmgr/package.json
Jacopo On Wed, Jan 21, 2026 at 11:19 AM <[email protected]> wrote: > This is an automated email from the ASF dual-hosted git repository. > > jleroux pushed a commit to branch release24.09 > in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git > > > The following commit(s) were added to refs/heads/release24.09 by this push: > new 3ebc51f37 Fixed: jsgantt-improved bloks qs.js update (OFBIZ-13339) > 3ebc51f37 is described below > > commit 3ebc51f37682ba0d01a3e33eacc396410f249968 > Author: Jacques Le Roux <[email protected]> > AuthorDate: Wed Jan 21 11:18:01 2026 +0100 > > Fixed: jsgantt-improved bloks qs.js update (OFBIZ-13339) > > Because of this vulnerability we are temporarily disabling the > projectmgr/control/ganttChart feature > --- > projectmgr/template/project/GanttChart.ftl | 25 > +++++++++++++++++++++-- > projectmgr/webapp/projectmgr/static/projectmgr.js | 2 +- > projectmgr/widget/ProjectScreens.xml | 4 ++-- > 3 files changed, 26 insertions(+), 5 deletions(-) > > diff --git a/projectmgr/template/project/GanttChart.ftl > b/projectmgr/template/project/GanttChart.ftl > index 2fc1929dd..f5567cb36 100644 > --- a/projectmgr/template/project/GanttChart.ftl > +++ b/projectmgr/template/project/GanttChart.ftl > @@ -22,8 +22,29 @@ under the License. > > <input id="ofbizGantItemsJson" type="hidden" > value="${phaseTaskListJson}"/> > > -<#-- Commented out because qs.js has a transitive issue due to > request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 for > details > +<#-- Commented out because qs.js has a transitive vulnerability due to > request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 for > details > <script type="text/javascript" > src="/projectmgr/node_modules/jsgantt-improved/dist/jsgantt.js"></script> > <script type="text/javascript" > src="/projectmgr/static/projectmgr.js"></script> > --> > -This has for now been Commented out because qs.js has a transitive issue > due to request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 > for details > +This has for now been Commented out because qs.js has a transitive > vulnerability due to request.js. > +<br> > +See <a href="https://issues.apache.org/jira/browse/OFBIZ-13339 for > details">https://issues.apache.org/jira/browse/OFBIZ-13339 for details</a> > +<br><br> > +The latest possible version that can be installed is 6.5.3 because of the > following conflicting dependencies: > +<br> > [email protected] requires qs@~6.5.2 via a transitive dependency on > [email protected] > +<br> > +No patched version available for qs > +<br> > +The earliest fixed version is 6.14.1. > +<br><br> > +For details see. > +<br> > +<a href="https://github.com/advisories/GHSA-6rw7-vpxm-498p";> > https://github.com/advisories/GHSA-6rw7-vpxm-498p</a> > +<br> > +<a href=" > https://github.com/apache/ofbiz-plugins/network/updates/1194761905";> > https://github.com/apache/ofbiz-plugins/network/updates/1194761905</a> > +<br> > +<a href="https://github.com/jsGanttImproved/jsgantt-improved/issues/384";> > https://github.com/jsGanttImproved/jsgantt-improved/issues/384</a> > +<br> > +<br> > +If you feel it's ok with you (e.g. totally secured Internet access, or > rather no access at all which is safer!) you may uncomment and use. > diff --git a/projectmgr/webapp/projectmgr/static/projectmgr.js > b/projectmgr/webapp/projectmgr/static/projectmgr.js > index 48090245e..c64911a68 100644 > --- a/projectmgr/webapp/projectmgr/static/projectmgr.js > +++ b/projectmgr/webapp/projectmgr/static/projectmgr.js > @@ -17,7 +17,7 @@ > * under the License. > */ > > -/* - Commented out because qs.js has a transitive issue due to > request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 for > details > +/* - Commented out because qs.js has a transitive vulnerabily due to > request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 for > details > > const ganttItemsJson = > document.getElementById("ofbizGantItemsJson").value; > const ganttItems = JSON.parse(ganttItemsJson); > diff --git a/projectmgr/widget/ProjectScreens.xml > b/projectmgr/widget/ProjectScreens.xml > index 5a8f5d1bb..c1f7649d1 100644 > --- a/projectmgr/widget/ProjectScreens.xml > +++ b/projectmgr/widget/ProjectScreens.xml > @@ -424,7 +424,7 @@ under the License. > <actions> > <set field="titleProperty" value="ProjectMgrGanttChart"/> > <set field="tabButtonItem" value="ganttchart"/> > - <!-- Commented out because qs.js has a transitive issue > due to request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 > for details > + <!-- Commented out because qs.js has a transitive > vulnerabily due to request.js. See > https://issues.apache.org/jira/browse/OFBIZ-13339 for details > <set field="layoutSettings.styleSheets[]" > value="/projectmgr/node_modules/jsgantt-improved/dist/jsgantt.css" > global="true"/> > --> > <set field="layoutSettings.styleSheets[]" > value="/projectmgr/static/projectmgr.css" global="true"/> > @@ -982,7 +982,7 @@ under the License. > <section> > <actions> > <property-map resource="ProjectMgrUiLabels" > map-name="uiLabelMap" global="true"/> > - <!-- - Commented out because qs.js has a transitive issue > due to request.js. See https://issues.apache.org/jira/browse/OFBIZ-13339 > for details > + <!-- - Commented out because qs.js has a transitive > vulnerabily due to request.js. See > https://issues.apache.org/jira/browse/OFBIZ-13339 for details > <set field="layoutSettings.styleSheets[]" > value="/projectmgr/node_modules/jsgantt-improved/dist/jsgantt.css" > global="true"/> > --> > <set field="layoutSettings.styleSheets[]" > value="/projectmgr/static/projectmgr.css" global="true"/> > >
