Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

jquery vulnerability introduced with tinycolor2

See original GitHub issue

Bug report

Describe the bug

Charka theme-tools brings in TinyColor2 1.4.1 and 1.4.2.

"@chakra-ui/theme-tools": {
      "version": "1.0.0-rc.8",
      "resolved": "https://registry.npmjs.org/@chakra-ui/theme-tools/-/theme-tools-1.0.0-rc.8.tgz",
      "integrity": "sha512-z9suTMHa+La8mpYKS3c601PMa9YMtZqJCucflPXqTvHog8YMJFgsw2nAV5hdtmE81L6z/qzhNxrS8W+uzXrmCQ==",
      "requires": {
        "@chakra-ui/utils": "1.0.0-rc.8",
        "@types/tinycolor2": "1.4.2",
        "tinycolor2": "1.4.1"
      }
    }

And that results in an error from npm retire.

.../node_modules/tinycolor2/demo/jquery-1.9.1.js
↳ jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;

To reproduce

Add the latest chakra release and retire to package.json

"@chakra-ui/core": "next",
"retire": "^1.6.3",

then run npm run retire -p

And you’ll see the jquery vulnerability.

Expected behavior

Add chakra without new security vulnerabilities.

System information

OS: macOS catalina
Version of @chakra-ui/react: “next” -> 1.0.0-rc.8
Version of Node.js: 15.2.1

Additional context

The issue is fixed in TinyColor2 1.4.2. Chakra is bringing in 1.4.1 and 1.4.2.

Issue Analytics

State:
Created 3 years ago
Comments:7 (3 by maintainers)

Top GitHub Comments

1reaction

ljosberinncommented, Nov 19, 2020

just pushed a fix that should resolve it in the next release

0reactions

uma-uccommented, Oct 20, 2022

I still see jquery as a dependency… Am I alone?

Top Results From Across the Web

convert_test.go · master · GitLab.org / security-products / analyzers ...

Message: "3rd party CORS request may execute in jquery",. 83. CompareKey: "app/node_modules/tinycolor2/demo/jquery-1.9.1.js:jquery:cve:CVE-2015-2951",.

How to use the tinycolor2.equals function in tinycolor2 - Snyk

To help you get started, we've selected a few tinycolor2.equals examples, based on popular ways it is used in public projects.

Danger of old jQuery libraries - Pakurity

We demonstrate how the old jQuery library can lead to Cross-site-scripting vulnerability (XSS). And update of the jQuery version immediately ...

T257579 Security Readiness Review For WVUI and Vector ...

(no explicit vulnerabilities reported, simply noting for completeness' sake.) ... copied into the repo's demos: node_modules/tinycolor2/demo/jquery-1.9.1.js.

Profile for Snyk Ltd - Linknovate

HTTP request smuggling is an interesting vulnerability type that has gained ... As such, Snyk has researched the remediation implemented by open source ......