While performing security scan of my application I discovered that when I install panel
, it also installs some vulnerable js packages, like jQuery 3.4.1
. It has a known vulnerability CVE-2020-11023 . This vulnerability was already fixed in jQuery 3.5.0
.
The jQuery files are located inside panel directory:
# find /opt/conda -name *jquery*
/opt/conda/lib/python3.7/site-packages/panel/dist/bundled/plotlyplot/jquery-3.4.1.min.js
/opt/conda/lib/python3.7/site-packages/panel/dist/bundled/goldentemplate/jquery-1.11.1.min.js
/opt/conda/lib/python3.7/site-packages/panel/dist/bundled/bootstraptemplate/jquery-3.4.1.slim.min.js
Question:
Is there a way of controlling versions of js packages required by panel? How could I change them?
1 Like
Marc
October 27, 2021, 3:40pm
2
Thanks for reporting this @rafgonsi .
You would probably have to get Panel updated. The steps would be
Create a bug report on github
Make a PR with the corrections for Panel.
If I search through the panel code if find the below.
Whatever is in .py
and .html
files can just be updated. The package-lock.json
probably needs to be updated via some npm
command???
1 Like
Marc
October 27, 2021, 3:43pm
3
If you need a here and now solution you could replace the existing jquery files by
Download the updated jquery files.
rename them to the existing jquery file names and move them into some subfolder of the dist
folder in your Panel python package.
1 Like
Marc
October 27, 2021, 3:53pm
4
2 Likes
Fixed here https://github.com/holoviz/panel/pull/2885 . Will push that out as part of a 0.12.5 release.
1 Like