@DHammer-PT opened this Issue on July 6th 2022

in the file /node_modules/jquery.dotdotdot/index.html - around like 146 - an insecure protocol (http) is used to load jquery.

The protocol needs to be replaced with https.

Please consider the correction in a future release.

Thanks in advance.

@bx80 commented on July 7th 2022 Contributor

Hi @DHammer-PT, thanks for pointing this out.

This file belongs to a third party node module https://github.com/FrDH/dotdotdot-js and is part of the module documentation file which is not publicly accessible as part of Matomo and would only be opened by developers. So it's an extemely low security risk.

v4.1.0 of the module no longer contains this insecure jQuery load, so we should update the module in our code base to the latest version.

@sgiehl commented on July 7th 2022 Member

That file is actually not part of our releases at all. It is removed within our release process see

https://github.com/matomo-org/matomo/blob/4c0e328b6d34dd6604e2b882d129f22ff4d28fd6/.github/scripts/clean-build.sh#L148

We may nevertheless consider updating our frontend dependencies with the next major release, which might then fix this.

@DHammer-PT commented on July 7th 2022

That file is actually not part of our releases at all. It is removed within our release process see

https://github.com/matomo-org/matomo/blob/4c0e328b6d34dd6604e2b882d129f22ff4d28fd6/.github/scripts/clean-build.sh#L148

We may nevertheless consider updating our frontend dependencies with the next major release, which might then fix this.

Thanks for sharing that link. Fantastic tool for cleaning up an install.

This Issue was closed on July 7th 2022
Powered by GitHub Issue Mirror