Security vulnerability from jquery - CVE-2020-11023

While performing security scan of my application I discovered that when I install panel, it also installs some vulnerable js packages, like jQuery 3.4.1. It has a known vulnerability CVE-2020-11023. This vulnerability was already fixed in jQuery 3.5.0.

The jQuery files are located inside panel directory:

# find /opt/conda -name *jquery*

Is there a way of controlling versions of js packages required by panel? How could I change them?

1 Like

Thanks for reporting this @rafgonsi.

You would probably have to get Panel updated. The steps would be

  • Create a bug report on github
  • Make a PR with the corrections for Panel.

If I search through the panel code if find the below.

Whatever is in .py and .html files can just be updated. The package-lock.json probably needs to be updated via some npm command???

1 Like

If you need a here and now solution you could replace the existing jquery files by

  1. Download the updated jquery files.
  2. rename them to the existing jquery file names and move them into some subfolder of the dist folder in your Panel python package.
1 Like

@rafgonsi . I’ve reported the issue/ bug here JQuery needs update · Issue #2860 · holoviz/panel (


Fixed here Will push that out as part of a 0.12.5 release.

1 Like