Contains older, vulnerable version of JQuery #1378
Description
- Operating System: Ubuntu
- Node Version: 6.11.4
- NPM Version: 3.5.2
- webpack Version:
- webpack-dev-server Version: 69a90c7 (latest HEAD)
- This is a bug
- This is a modification request
Code
// webpack.config.js // additional code, remove if not needed.Expected Behavior
Webpack-dev-server to depend on and use one version of JQuery.
Actual Behavior
Webpack-dev-server depends on a recent version of JQuery in package.json but also includes a much older one (with known vulnerabilities) under client-src/live.
For Bugs; How can we reproduce the behavior?
I installed retire.js (https://github.com/RetireJS/retire.js) which identifies dependencies and libraries with known vulnerabilities.
When running retire on the webpack-dev-server repo it reports a couple of dependencies with known vulnerabilities, but also an older version of JQuery included directly in the repo:
/home/username/dev/webpack-dev-server/client-src/live/web_modules/jquery/jquery-1.8.1.js
↳ jquery 1.8.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 http://research.insecurelabs.org/jquery/test/
I'm not too familiar with this project, so I tried to find why this file is included and how it is used. When searching (https://github.com/webpack/webpack-dev-server/search?utf8=%E2%9C%93&q=jquery&type=) I didn't find much mentioning jquery, but discovered that package.json pulls in a more recent version of JQuery and this seems to be used. It is therefore not clear to me if the 1.8.1 version is actually in use, or if it could be removed.