Oops, I accidentally deleted my reply when trying to remove a spurious empty message. Anyway, I made a pull request for non Mirage2 themes in XMLUI (see issue) [1].
Ilja [1] https://jira.duraspace.org/browse/DS-3099 lauantai 12. maaliskuuta 2016 0.43.25 UTC+2 Hardy Pottinger kirjoitti: > > Hi, Ilja, alas we manage our JS dependencies a bit differently than our > Java dependencies. [1] In the case of Mirage2, Bower is used to fetch > jQuery, and the version is specified with a tilde, which according to NPM > translates to "close enough to."[2][3] > > I have made a Jira ticket for upgrading our jQuery version with the UIs we > have right now [4]. As Tim said previously, we welcome a pull request to > address this. > > --Hardy > > [1] https://github.com/DSpace/DSpace/search?q=jquery > [2] > http://stackoverflow.com/questions/19541494/bower-dependency-tilde-in-node > [3] https://github.com/npm/node-semver > [4] https://jira.duraspace.org/browse/DS-3099 > > ------------------------------ > *From:* dspac...@googlegroups.com <javascript:> [dspac...@googlegroups.com > <javascript:>] on behalf of Tim Donohue [tdon...@duraspace.org > <javascript:>] > *Sent:* Thursday, March 10, 2016 1:59 PM > *To:* dspac...@googlegroups.com <javascript:> > *Subject:* Re: [dspace-tech] jQuery 1.6.2 > > Hi Ilja, > > Yes, we'd encourage a Pull Request if you are willing. Thanks for making > us aware of this. > > - Tim > > On 3/8/2016 6:55 AM, Ilja Sidoroff wrote: > > At routine system scan by our IT department noticed, that mirage theme > uses jQuery version 1.6.2, which is vulnerable to a XSS attack [1]. I don't > know if this actually exploitable in DSpace, but anyway it seems that this > is fixable by simple bumping the version to 1.6.4. Is it worth of making a > pull request to fix this? > > Ilja Sidoroff > Information Specialist > University of Eastern Finland, Library > > [1] CVE-2011-4969 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4969 > -- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech...@googlegroups.com <javascript:>. > To post to this group, send email to dspac...@googlegroups.com > <javascript:>. > Visit this group at https://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > > > -- > Tim Donohue > Technical Lead for DSpace & DSpaceDirect > DuraSpace.org | DSpace.org | DSpaceDirect.org > > -- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech...@googlegroups.com <javascript:>. > To post to this group, send email to dspac...@googlegroups.com > <javascript:>. > Visit this group at https://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To post to this group, send email to dspace-tech@googlegroups.com. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
