@tassoman opened this Pull Request on November 3rd 2022 Contributor


Actual library jQuery 2.2.4 is suffering of 3 XSS vulnerabilities and a Prototype Pollution.


@sgiehl commented on November 7th 2022 Member

Hi @tassoman
We most likely won't change that for Matomo 4 to avoid possible problems with Matomo plugins or Matomo for wordpress. We are currently preparing Matomo 5, where we might consider to also update jQuery (if it doesn't cause regressions with wordpress).
Would you mind to rebase/change your PR to target 5.x-dev or create a new PR for that if that is easier.

@tassoman commented on November 10th 2022 Contributor

Wordpress already has jQuery 3.6.0 in it since 2 years ago.
They also have jQuery Migration already set. No worries for breaking.

I've already patched my Matomo 4.11.x package but file integrity checker gives back false positive error.
So matomo installation couldn't be checked for integrity because of jquery.min.js substitution.
This also is a security flaw in the system. We don't want to lower our security level in core system.

@sgiehl commented on November 11th 2022 Member

@tassoman We are commint all the npm libraries that are required for Matomo to run. I've therefor created a new PR, that contains all required jQuery files.
Closing this on in favor of #19989

@tassoman commented on November 11th 2022 Contributor

Awesome, thanks a lot!

This Pull Request was closed on November 11th 2022
Powered by GitHub Issue Mirror