Comments (3)
ljharb
commented on June 10, 2024
1
The file is certainly there, but the library isn't npm-installed, and parsing HTML for script tags seems like a very strange choice for things inside node_modules.
If a later version of jQuery works in IE 6-9, then I'm happy to update it ¯\_(ツ)_/¯
from es6-shim.
ljharb
commented on June 10, 2024
I'm not sure why the warning would appear at all for anyone but the developers of es6-shim (mainly me), given that jquery is a dev dependency, so consumers would never have it installed?
Additionally, like many CVEs in the JS world, this CVE is not actually a vulnerability unless it's used improperly (at which case it's a vulnerability in the thing using jQuery, not jQuery itself). In other words, this CVE should never have been filed on jQuery directly in the first place. Our use of jQuery doesn't involve unsanitized user input, so it's a false positive.
from es6-shim.
scott-m-sarsfield
commented on June 10, 2024
Well, I'm not really sure what whitesource has going on under the hood.
To be fair, when I did a fresh install (yarn), the file was still there.
It picked up jquery from this:
Line 6 in 0d47be1
And for futher context, there's a number of in-between dependencies (Although I don't believe they'd impact what's in your node_modules folder.)
└─┬ @storybook/[email protected]
└─┬ @storybook/[email protected]
└─┬ [email protected]
└── [email protected]
That being said, I very much agree with you that it's not a real vulnerability.
from es6-shim.
Related Issues (20)
- Support for Promise.prototype.finally HOT 2
- Symbol.split polyfill poor performance HOT 1
- Question: Template literals supported? HOT 4
- Possible to only use needed components? HOT 1
- Function.prototype.name getter brokes function name getter HOT 2
- native Promise broken in node 10.0 and 10.1 HOT 1
- Unneeded argument for overrideNative HOT 2
- Promise 'then' incorrect? HOT 10
- For statement doesn't loop? HOT 4
- Shimmed Symbol.iterator is not recognized HOT 10
- TypeError: Object doesn't support property or method 'next' in IE browser HOT 10
- Does the array `of` shim apply to `for...of`? HOT 3
- babel-polyfill and es6-shim HOT 8
- Allowed iterator on empty object HOT 2
- Promise shim missing finally method HOT 1
- This software has new code recently, but no new version has been released. Will there be a new version released recently? HOT 4
- [spam]
- About update a new release HOT 3
- Documentation Icon Errors and typos HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from es6-shim.