You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to Sonatype, this version is vulnerable to prototype pollution (SONATYPE-2024-011918):
The $.widget() function in widget.js does not properly check if the name parameter contains a risky JavaScript accessor such as __proto__ or constructor when creating a new widget. An attacker can exploit this vulnerability by providing a crafted name to override the original JavaScript prototype and therefore values of objects used by the application. This may result in arbitrary code execution, data corruption, or application crashes.
To be clear, a) I have on idea what shiny uses jQuery UI for, and b) I suspect the probablility that this is exploitable via shiny to be very low. However, it's probably good to keep these dependencies up-to-date anyway.
I'd offer a PR to upgrade jQuery UI, but I think you probably do it via htmlDependencies.R (https://github.com/posit-dev/py-shiny/blob/main/scripts/htmlDependencies.R), and therefore it's just a matter of running that script to get the latest versions? I haven't looked too closely at it. Happy to help in any way.
The text was updated successfully, but these errors were encountered:
The version of jQuery UI bundled in https://github.com/posit-dev/py-shiny/blob/main/shiny/www/shared/jqueryui/jquery-ui.min.js is 1.13.2.
According to Sonatype, this version is vulnerable to prototype pollution (SONATYPE-2024-011918):
This was fixed in jQuery UI 1.14.1: https://jqueryui.com/changelog/1.14.1/#widget-factory.
To be clear, a) I have on idea what shiny uses jQuery UI for, and b) I suspect the probablility that this is exploitable via shiny to be very low. However, it's probably good to keep these dependencies up-to-date anyway.
I'd offer a PR to upgrade jQuery UI, but I think you probably do it via
htmlDependencies.R
(https://github.com/posit-dev/py-shiny/blob/main/scripts/htmlDependencies.R), and therefore it's just a matter of running that script to get the latest versions? I haven't looked too closely at it. Happy to help in any way.The text was updated successfully, but these errors were encountered: