Bundled js modules are vulnerable #2500
Comments
|
The packages are included for third party driver authors to be able to be run Capybaras tests against their drivers, and will not be excluded from the gemspec. These files are not used by end users of Capybara, and are easily excludable from any static analysis tool. We will look at updating the dependencies but I don't consider this a valid security concern. |
|
@Jackiesan Time to figure out why the visibility behavior changes when using the new versions. Assumption is that it shouldn't have any effect since jQuery isn't used in the visibility calculations |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello 馃憢馃徎
There are included JS dependencies in this gem that have published CVEs. The items in question are included here.
In particular, the jquery-ui bundled is v1.11.4, which is vulnerable to CVE-2016-7103
The impact of this is that consumers of capybara might see failures in static analysis of packages. These dependencies should be updated or excluded from the gemspec.
Meta
Capybara Version: latest
The text was updated successfully, but these errors were encountered: