Hi, Ilja, alas we manage our JS dependencies a bit differently than our Java dependencies. [1] In the case of Mirage2, Bower is used to fetch jQuery, and the version is specified with a tilde, which according to NPM translates to "close enough to."[2][3]
I have made a Jira ticket for upgrading our jQuery version with the UIs we have right now [4]. As Tim said previously, we welcome a pull request to address this. --Hardy [1] https://github.com/DSpace/DSpace/search?q=jquery [2] http://stackoverflow.com/questions/19541494/bower-dependency-tilde-in-node [3] https://github.com/npm/node-semver [4] https://jira.duraspace.org/browse/DS-3099 ________________________________ From: dspace-tech@googlegroups.com [dspace-tech@googlegroups.com] on behalf of Tim Donohue [tdono...@duraspace.org] Sent: Thursday, March 10, 2016 1:59 PM To: dspace-tech@googlegroups.com Subject: Re: [dspace-tech] jQuery 1.6.2 Hi Ilja, Yes, we'd encourage a Pull Request if you are willing. Thanks for making us aware of this. - Tim On 3/8/2016 6:55 AM, Ilja Sidoroff wrote: At routine system scan by our IT department noticed, that mirage theme uses jQuery version 1.6.2, which is vulnerable to a XSS attack [1]. I don't know if this actually exploitable in DSpace, but anyway it seems that this is fixable by simple bumping the version to 1.6.4. Is it worth of making a pull request to fix this? Ilja Sidoroff Information Specialist University of Eastern Finland, Library [1] CVE-2011-4969 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4969 -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com<mailto:dspace-tech+unsubscr...@googlegroups.com>. To post to this group, send email to dspace-tech@googlegroups.com<mailto:dspace-tech@googlegroups.com>. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout. -- Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com<mailto:dspace-tech+unsubscr...@googlegroups.com>. To post to this group, send email to dspace-tech@googlegroups.com<mailto:dspace-tech@googlegroups.com>. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To post to this group, send email to dspace-tech@googlegroups.com. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
