Confusing quarantine of Jquery-UI

The package Jquery-UI is dependent on Jquery, which is without vulnerabilities since v 3.5.0. The current version of Jquery-UI is 3 months old and depends on any Jquery version > 1.8.0.

The confusion comes from reading the vulnerability reports listed below; all of them refer to XSS vulns in Jquery itself, and not Jquery-UI. Additionally, most of them seem to have been published before any of the current versions of Jquery and Jquery-UI.

Is it possible to have a reassessment of Jquery-UI? From my understanding of the vulnerabilities described in the reports it isn’t Jquery-UI which is vulnerable, but previous versions of Jquery (now fixed). Is this a correct interpretation, or am I missing something fundamental here?

  • CVE-2019-11358
  • CVE-2020-11023
  • CVE-2020-7656
  • sonatype-2012-0009
  • sonatype-2014-0026
  • sonatype-2016-0107
  • sonatype-2016-0610
  • sonatype-2017-0506
  • sonatype-2020-0187