Includes front-end JavaScript libraries with known security vulnerabilities about website HOT 15 CLOSED

@BO41 I changed my jquery version with jQuery 3.3.1 ( https://code.jquery.com/jquery-3.3.1.min.js ), and It solved my problem.

from website.

@BO41 just a tip for next time, please provide such information right away.

from website.

We'd appreciate a PR fixing these issues.

from website.

@TheAssassin so you would be fine with upgrading?
This could mean changing some of the code, because of possible breaking changes.

But I did not look into it yet. But I will

from website.

@BO41 it shouldn't break the website IMO. And @TobiGr will review it anyway before we're going to merge it.

from website.

@TheAssassin I tried updating bootstrap with gem install bootstrap -v 4.1.3 like https://getbootstrap.com/docs/4.1/getting-started/download/ recommends, but it does not change anything. Can you please help me :)

from website.

or did you not install bootstrap via gem?

from website.

No, we included it locally. https://github.com/TeamNewPipe/website/tree/master/bootstrap

from website.

@TheAssassin just updating the bootstrap.min.css and bootstrap.min.js really breaks everything.
I guess there is a reason long lists with breaking changes exist:

• http://upgrade-bootstrap.bootply.com/
• https://gitlab.com/gitlab-org/gitlab-ce/issues/45185

so, still want to update from 3.3.7 to 4.1?
Or just leave it as it is?

from website.

@BO41 I never said updating to the next major version is viable, but we could've updated to 3.3.7 for instance.

from website.

@TheAssassin I don't know where to get this version and if it is really better.
Maybe just close this issue and leave everything as it is.

from website.

I guess there's no issue unless we start to believe there is. Thanks for your suggestion anyway.

from website.

No. I think we should update, but this needs some time.

from website.

@BO41 can you provide us where you got this "vulnerability report" from? The question is always what kind of vulnerability we're talking about, and if we are affected. Updating just for the sake of updating doesn't make sense.

from website.

@TheAssassin @TobiGr sure:
I used the google lighthouse report tool.
It recommends updating or removing the library: https://developers.google.com/web/tools/lighthouse/audits/vulnerabilities

• bootstrap: https://snyk.io/vuln/npm:[email protected]
• jquery: https://snyk.io/vuln/npm:[email protected]

I just copied the report, I don't know how real the threat really is.

from website.