@bnachtweh opened this Issue on October 5th 2020

Applies for version

  • 4.x-dev
  • 4.0.0.-b2

Issue

There are some front-end bundles that are used in this package seem to be outdated and contain possible vulnerabilities. A great example is jQuery. See https://snyk.io/vuln/SNYK-JS-JQUERY-567880.

I have checked out the latest 4.x-dev tag to find out if there have been any upgrades in the front-end stack, but this doesn't seem to be the case according to the package.json. Is the front-end stack going to be upgraded in any noticeable time?

I understand that a major upgrade is not made easily, but these vulnerabilities pop up in our PEN-test, so I was wondering if these upgrades are, by any change, on your roadmap.

It applies on the following in the package.json (https://github.com/matomo-org/matomo/blob/4.x-dev/package.json):

    "jquery": "^2.2.4",
    "jquery-mousewheel": "^3.1.13",
    "jquery-ui-dist": "^1.12.1",
    "jquery.browser": "^0.1.0",
    "jquery.dotdotdot": "^3.2.3",
    "jquery.scrollto": "^2.1.2",

But I would advise to review all used front-end bundles for possible vulnerabilities or active maintenance. Some bundles have been moved or not actively maintained for years.

@Findus23 commented on October 5th 2020 Member

Hi,

(see also https://github.com/matomo-org/matomo/issues/12961)

I think those vulnerabilities don't apply for Matomo (if you have a proof of concept for any of them in Matomo, it would be great if you could report it to https://matomo.org/security/).

I think there were some reasons for not using upgrading to Jquery 3. materializecss doesn't support it and the fork doesn't seem to yet have a stable release.

@tsteur commented on October 5th 2020 Member

We aren't upgrading to jQuery 3 yet because WordPress is not using it (yet) and things would become incompatible there potentially. We're monitoring these reports and we couldn't find any specific actually impacted Matomo. If you know otherwise feel free to reach out to us as @Findus23 pointed out. I wonder if we can close this issue?

@bnachtweh commented on October 6th 2020

@Findus23 I think it applies to our integration of Matomo in our Symfony application. The page of Packagist sent me to this repository. What I found in the twig templates is that you're including jQuery there from a destined vendor folder, which contains the jQuery installation by Bower (later by NPM?).

Like @tsteur said, it isn't likely that an upgrade of jQuery is coming (soon), so I think that answers my question. I will close the issue.

@Findus23 commented on October 6th 2020 Member

@tsteur Just for your information:

It seems like the Wordpress team is planning to use the latest jQuery version with the next release, which I assume will come out soon, so that might create new issues when Matomo expects an older version.

https://make.wordpress.org/core/2020/06/29/updating-jquery-version-shipped-with-wordpress/

@tsteur commented on October 6th 2020 Member

We have an issue for this here @Findus23 https://github.com/matomo-org/wp-matomo/issues/314

I've already done some testing to make it work with jQuery1 and jQuery3 and applied a small patch and reckon it will be actually going quite smooth but to be seen when it happens

This Issue was closed on October 6th 2020
Powered by GitHub Issue Mirror