Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade jQuery to 3.4 #1581

Closed
Cerebus opened this issue Jun 7, 2019 · 1 comment
Closed

Upgrade jQuery to 3.4 #1581

Cerebus opened this issue Jun 7, 2019 · 1 comment
Milestone
0.15.5

Comments

@Cerebus
Copy link
Contributor

Cerebus commented Jun 7, 2019

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

https://nvd.nist.gov/vuln/detail/CVE-2019-11358
@davidism
Copy link
Member

davidism commented Jun 7, 2019

jQuery as used in Werkzeug is not vulnerable to this. You're welcome to open a PR to upgrade the bundled version though.

@davidism davidism closed this as completed Jun 7, 2019
Cerebus pushed a commit to Cerebus/werkzeug that referenced this issue Jun 8, 2019
Update to jQuery 3.4.1, fixes pallets#1581
ec9b1ce
@Cerebus Cerebus mentioned this issue Jul 12, 2019
Merged
@davidism davidism added this to the 0.15.5 milestone Jul 12, 2019
davidism added a commit that referenced this issue Jul 12, 2019
@davidism
Merge pull request #1582 from Cerebus/fix/1581-jquery-3.4.1
8afe4eb 
Update to jQuery 3.4.1, fixes #1581
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.15.5
Development

No branches or pull requests
2 participants
@Cerebus @davidism