jQuery 3.3.1 has multiple CVEs #1938
Labels
bug
format: Javadoc
An issue/PR related to Dokka's Javadoc output format or the Javadoc comments in general
good first issue
A beginner-friendly issue for which some assistance is expected
Comments
vmishenev
added
the
format: Javadoc
|
We actually have a copy of jquery in our sources: https://github.com/Kotlin/dokka/tree/04cf1cdd3a909fa62e5ffda5b7d04695c749177e/plugins/javadoc/src/main/resources/static_res/jquery Ideally, I'd be great to have it as a proper dependency (webjars or something like this), but at the very least it has to be updated to a more recent version. |
IgnatBeresnev
added
the
good first issue
ToppleTheNun
added a commit
to ToppleTheNun/dokka
that referenced
this issue
May 2, 2022
update to jquery 3.5.0 update to jquery-migrate 3.4.0 update to jquery-ui 1.13.1 closes Kotlin#1938
ToppleTheNun
added a commit
to ToppleTheNun/dokka
that referenced
this issue
May 2, 2022
update to jquery 3.5.0 update to jquery-migrate 3.4.0 update to jquery-ui 1.13.1 closes Kotlin#1938
ToppleTheNun
added a commit
to ToppleTheNun/dokka
that referenced
this issue
May 13, 2022
update to jquery 3.5.0 update to jquery-migrate 3.4.0 update to jquery-ui 1.13.1 closes Kotlin#1938
ghost
mentioned this issue
kodiakhq bot
pushed a commit
to RBusarow/Dispatch
that referenced
this issue
Jul 16, 2022
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [org.jetbrains.dokka](https://togithub.com/Kotlin/dokka) | `1.5.31` -> `1.7.10` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [org.jetbrains.dokka:dokka-gradle-plugin](https://togithub.com/Kotlin/dokka) | `1.5.31` -> `1.7.10` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>Kotlin/dokka</summary> ### [`v1.7.10`](https://togithub.com/Kotlin/dokka/releases/tag/v1.7.10) Bugfix release that addresses several blockers and regressions. ##### General - Support `Kotlin` 1.7.10 ##### Gradle plugin - Do not expose `Kotlin` stdlib in plugin dependencies, this should fix errors like `Module was compiled with an incompatible version of Kotlin` when using `Dokka`. Thanks to [@​martinbonnin](https://togithub.com/martinbonnin) ([#​2543](https://togithub.com/Kotlin/dokka/issues/2543)) ##### Java sources - Fixed build failure caused by having configured source links for `Java` code ([#​2544](https://togithub.com/Kotlin/dokka/issues/2544)) - Fixed several exotic problems that led to build failures, all related to using annotation in `Java` sources ([#​2509](https://togithub.com/Kotlin/dokka/issues/2509), [#​2551](https://togithub.com/Kotlin/dokka/issues/2551), [#​2350](https://togithub.com/Kotlin/dokka/issues/2350)) - Fixed `IntelliJ` platform `WARN: Attempt to load key` messages that appeared when analyzing `Java` sources ([#​2559](https://togithub.com/Kotlin/dokka/issues/2559)) ### [`v1.7.0`](https://togithub.com/Kotlin/dokka/releases/tag/v1.7.0) ##### Improvements ##### General - Update to `Kotlin` 1.7.0, `IntelliJ` Platform 213 - Support [definitely non-nullable types](https://kotlinlang.org/docs/whatsnew17.html#stable-definitely-non-nullable-types) ([Kotlin/dokka#2520) - Don't expose enum entry constructor arguments, thanks to [@​ebraminio](https://togithub.com/ebraminio) ([Kotlin/dokka#2497) - Preserve ordering of enum entries as in source code, previously reversed ([Kotlin/dokka#2469) - Improve support for inherited `Java` fields with accessors, now properly interpreted as `val`/`var` properties ([Kotlin/dokka#2481, [Kotlin/dokka#2532, [Kotlin/dokka#2540) - Skip `@Deprecated` members with `HIDDEN` level ([Kotlin/dokka#2486) - Make rendered default value dependent on source set for expect/actual declarations ([Kotlin/dokka#2449) ##### HTML format - Render quotes as blockquotes instead of code blocks, thanks to [@​TheOnlyTails](https://togithub.com/TheOnlyTails) ([Kotlin/dokka#2496) ##### Javadoc format - Make `Javadoc` pages generation deterministic ([Kotlin/dokka#2479) - Update shipped `jQuery` to avoid multiple CVEs, thanks to [@​ToppleTheNun](https://togithub.com/ToppleTheNun) ([Kotlin/dokka#1938) ##### GFM format - Support rendering of code blocks and inline code used in KDocs, thanks to [@​cosinekitty](https://togithub.com/cosinekitty) ([Kotlin/dokka#2485) ##### Kotlin-as-Java plugin - Include `Java` access modifiers into function signatures, thanks to [@​tripolkaandrey](https://togithub.com/tripolkaandrey) ([Kotlin/dokka#2510) ##### Gradle runner - Make `dokka-analysis` dependency `compileOnly`, this should help avoid compatibility problems if different versions of `Kotlin` are bundled in `Gradle` and `Dokka` ([Kotlin/dokka#2521) - Enable stricter validation for cacheable `Gradle` tasks, thanks to [@​3flex](https://togithub.com/3flex) ([Kotlin/dokka#2500) - Remove unused & redundant dependencies for `Gradle` runner, thanks to [@​3flex](https://togithub.com/3flex) ([Kotlin/dokka#2502) - Remove outdated suppression in `Gradle` runner, thanks to [@​3flex](https://togithub.com/3flex) ([Kotlin/dokka#2501) ##### Fixes ##### General bugfixes - Fixed a compiler deadlock issue which led to stalling builds in some KMP projects ([Kotlin/dokka#2480) - Fixed incorrect argument names of functional type parameters ([Kotlin/dokka#2478) - Fixed missing external docs for AndroidX libraries, thanks to [@​EdricChan03](https://togithub.com/EdricChan03) ([Kotlin/dokka#2456) - Fixed tests failing on Windows, thanks to [@​3flex](https://togithub.com/3flex) ([Kotlin/dokka#2507) ##### Security - Get rid of bundled `log4j` 1.2 that came as a transitive dependency ([Kotlin/dokka#2488) - Update Jackson to avoid [CVE-2020-36518](https://nvd.nist.gov/vuln/detail/CVE-2020-36518), thanks to [@​1mt](https://togithub.com/1mt) ([Kotlin/dokka#2525) ##### Plugin API - Decompose `base.ftl` template: now `header.ftl`, `footer.ftl` and `page_metadata.ftl` can be overridden individually ([Kotlin/dokka#2432) ##### Other - Add Kotlin stability & support badges, thanks to [@​etolstoy](https://togithub.com/etolstoy) ([Kotlin/dokka#2511) - Remove an unused runner parameter, thanks to [@​3flex](https://togithub.com/3flex) ([Kotlin/dokka#2498) - Correct typos, thanks to [@​PaladiRka](https://togithub.com/PaladiRka) ([Kotlin/dokka#2504) and [@​mahozad](https://togithub.com/mahozad) ([Kotlin/dokka#2506)! Thanks to all the contributors! ### [`v1.6.21`](https://togithub.com/Kotlin/dokka/releases/tag/v1.6.21) This is a bugfix release that mostly enables building documentation for multiplatform projects that utilize `.klib` libraries. ##### Changes - Support Kotlin 1.6.21 - Update `jsoup` dependency to avoid [CVE-2021-37714](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37714) ([#​2448](https://togithub.com/Kotlin/dokka/issues/2448)) ##### Bugfixes - Support `KLIB` libraries for common platform, previously led to `ERROR CLASS` instead of references in documentation ([#​2441](https://togithub.com/Kotlin/dokka/issues/2441)) - Fixed a maven plugin build problem related to coroutines which only occurred in multi-module builds ([#​2461](https://togithub.com/Kotlin/dokka/issues/2461)) ### [`v1.6.20`](https://togithub.com/Kotlin/dokka/releases/tag/v1.6.20) #### Features - Introduce `documentedVisibilities` setting that allows including/excluding any visibility modifier in documentation. This is a more flexible replacement for `includeNonPublic`, which has now been deprecated ([Kotlin/dokka#2270) - Make HTML pages customizable through FreeMarker HTML templates ([Kotlin/dokka#2374) - Add global settings to JSON dokka CLI input ([Kotlin/dokka#2292), thanks to [@​BarkingBad](https://togithub.com/BarkingBad)! #### HTML format changes - Add vertical alignment (wrapping) of signatures when 3 and more parameters are present ([Kotlin/dokka#2309) - Enhance primary constructor signature, display `val`/`var` keywords and default values ([Kotlin/dokka#2313) - Add a level of indentation to childless items in navigation tree ([Kotlin/dokka#2291) - Add horizontal margin to breadcrumbs delimiter ([Kotlin/dokka#2285) - Fixed various CSS rendering issues ([Kotlin/dokka#2284, [Kotlin/dokka#2389) #### Bugfixes - Fixed `OutOfMemoryError: Metaspace`-related issues for the majority of cases ([Kotlin/dokka#2216) - Fixed classpath issues for HMPP libraries ([Kotlin/dokka#2431) - Using `@` symbol within code blocks in `.md` files doesn't lead to cropped documents anymore ([Kotlin/dokka#2418) - Fixed incorrect placement of HTML head tags, which led to missing favicon in multi-module projects ([Kotlin/dokka#2365) - Fixed resolution of ultralight methods that led to flaky signature generation ([Kotlin/dokka#2400) - Coroutines dispatchers are now shut down after each module pass to avoid resource leaks ([Kotlin/dokka#2325) - Suppressed property setters are now excluded from documentation ([Kotlin/dokka#2220) - Suppressing extensions doesn't fail builds anymore ([Kotlin/dokka#2348), thanks to [@​BarkingBad](https://togithub.com/BarkingBad)! - Fixed java getter / setter name generation for kotlin-java interop, now `isBoolean` instead of `getBoolean` ([Kotlin/dokka#2356), thanks to [@​CharlesG-Branch](https://togithub.com/CharlesG-Branch)! - Fixed MathJax plugin, previously completely broken ([Kotlin/dokka#2342), thanks to [@​wyskoj](https://togithub.com/wyskoj)! - Fixed Input/Output streams to minimize resource leaks ([Kotlin/dokka#2312, [Kotlin/dokka#2319) #### Plugin API Changes - Add an extension point for rendering custom [documentation tags](https://kotlinlang.org/docs/kotlin-doc.html#block-tags) ([Kotlin/dokka#2343) - Add an extension point for an external documentable provider ([Kotlin/dokka#2307), thanks to [@​Kordyjan](https://togithub.com/Kordyjan)! - Add filtering stategies extension point and fix constructors in Kotlin-as-Java ([Kotlin/dokka#2277), thanks to [@​BarkingBad](https://togithub.com/BarkingBad)! - Expose Kotlin-as-Java methods that could be used not only as part of transformers ([Kotlin/dokka#2351), thanks to [@​BarkingBad](https://togithub.com/BarkingBad)! - Refactor Ancestry Graphs ([Kotlin/dokka#2326), thanks to [@​BarkingBad](https://togithub.com/BarkingBad)! - Fixed resolving of DRIs for Enum Entries ([Kotlin/dokka#2305), thanks to [@​BarkingBad](https://togithub.com/BarkingBad)! #### General Improvements - Collect annotations from `package-info.java` ([Kotlin/dokka#2331), thanks to [@​ember-rose](https://togithub.com/ember-rose)! - Add support for header tags (`<h1>` / `<h2>` / `<h3>`) in Javadoc ([Kotlin/dokka#2345), thanks to [@​asfalcone](https://togithub.com/asfalcone)! - Add an option to merge implicit expect-actual declarations, enables merging of pages for related declarations which are not connected via `expect`-`actual` keywords ([Kotlin/dokka#2316) - Add a note about using Dokka in a precompiled script plugin ([Kotlin/dokka#2303), thanks to [@​chkpnt](https://togithub.com/chkpnt)! - Fixed wrong Groovy DSL example ([Kotlin/dokka#2302), thanks to [@​chkpnt](https://togithub.com/chkpnt)! - Various code cleanups ([Kotlin/dokka#2165, [Kotlin/dokka#2360, [Kotlin/dokka#2364, [Kotlin/dokka#2385), thanks to [@​Goooler](https://togithub.com/Goooler)! #### Known issues - Kotlin Multiplatform projects that use `.klib` libraries may experience problems. There will be a separate `1.6.21` release that will address this issue shortly. ### [`v1.6.10`](https://togithub.com/Kotlin/dokka/releases/tag/v1.6.10) #### Changes - Support Kotlin 1.6.10 - Add a sample project for versioning multi-module ([Kotlin/dokka#2170) #### Bugfixes - Fix various `java.util.zip.ZipException` for JS dependencies ([Kotlin/dokka#2258) - Fix handling of Description Lists (`<dl>`) used in JavaDocs ([Kotlin/dokka#2259) - Fix for "repositories not defined" issue in versioning multimodule example ([Kotlin/dokka#2263), thanks [@​rajdeep1008](https://togithub.com/rajdeep1008)! - Fix multiple rendering issues for "See Also" block for html format ([Kotlin/dokka#2267) - Fix sample body not being embedded to documentation ([Kotlin/dokka#2216) #### Maintenance - Update npm dependencies ([Kotlin/dokka#2251) - Bump `de.undercouch.download` to 4.1.2 ([Kotlin/dokka#2268) - Bump `kotlinx.coroutines` to 1.6.0 in integration tests ([Kotlin/dokka#2276) ### [`v1.6.0`](https://togithub.com/Kotlin/dokka/releases/tag/v1.6.0) Changes: - **New UI** - Support of version plugin for single module projects - Allow package-level suppression ([#​2209](https://togithub.com/Kotlin/dokka/issues/2209)), thanks [@​owengray-google](https://togithub.com/owengray-google) - GFM: Use Markdown syntax to render lists ([#​2098](https://togithub.com/Kotlin/dokka/issues/2098)), thanks [@​sgilson](https://togithub.com/sgilson) - Fix names of nested inheritors - Fix adding new custom stylesheets in submodules - Add keywords `expect` and `actual` in signatures </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/RBusarow/Dispatch). PR-URL: #488
](https://renovatebot.com){kind=link}
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
jQuery 3.3.1 has multiple CVEs that are starting to show up in my organization's automated security scanning as it is contained in the output javadoc.
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-11022
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2019-11358
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-11023
Expected behaviour
Javadoc output to not have multiple CVEs associated with it.
To Reproduce
Dokka configuration
Configuration of dokka used to reproduce the bug
dokkaSourceSets { configureEach { // Disable linking to online kotlin-stdlib documentation noStdlibLink.set(true) // Disable linking to online JDK documentation noJdkLink.set(true) } }Installation
Are you willing to provide a PR?
Yes, I am willing to provide a PR
The text was updated successfully, but these errors were encountered: