Hi Oliver,
AFAIK there's no release planned right now, but I concur that even a
smaller one might be warranted due to fixing a CVE.
However, if you need to mitigate immediately, you could replace underscore
in any version with a config override:
@Contribute(JavaScriptStack.class)
@Core
public static void
setupCoreJavaScriptStack(OrderedConfiguration<StackExtension> conf) {
conf.override("underscore-library",
StackExtension.library("META-INF/assets/underscore-1.13.6.umd.min.js"));
}
Cheers
Ben
On Wed, Nov 1, 2023 at 11:59 AM Oliver Hanraths
<oliver.hanra...@gallerysystems.com.invalid> wrote:
> Hi Tapestry devs,
>
> On Sa, 2023-10-21 at 14:02 +0000, benweidig (via GitHub) wrote:
> > benweidig merged PR #45:
> > URL: https://github.com/apache/tapestry-5/pull/45
>
> with TAP5-2765 being merged and a couple of other bug fixes in 5.8.4,
> would it be possible to release version 5.8.4? Some of our clients are
> eager to get the underscore.js security vulnerability addressed.
>
> Thanks and best regards,
> Oliver
>
