The package Jquery-UI is dependent on Jquery, which is without vulnerabilities since v 3.5.0. The current version of Jquery-UI is 3 months old and depends on any Jquery version > 1.8.0.
The confusion comes from reading the vulnerability reports listed below; all of them refer to XSS vulns in Jquery itself, and not Jquery-UI. Additionally, most of them seem to have been published before any of the current versions of Jquery and Jquery-UI.
Is it possible to have a reassessment of Jquery-UI? From my understanding of the vulnerabilities described in the reports it isn’t Jquery-UI which is vulnerable, but previous versions of Jquery (now fixed). Is this a correct interpretation, or am I missing something fundamental here?
- CVE-2019-11358
- CVE-2020-11023
- CVE-2020-7656
- sonatype-2012-0009
- sonatype-2014-0026
- sonatype-2016-0107
- sonatype-2016-0610
- sonatype-2017-0506
- sonatype-2020-0187