jQuery-包括具有已知安全漏洞的前端JavaScript库
我使用Google Lighthouse对网站进行了优化分析,“最佳实践”问题之一是:
一些第三方脚本可能包含已知的安全漏洞,这些漏洞易于识别和利用攻击者。。
分析可以帮助您带有此文件。
与 jQuery >我实际上没有使用它,但是该项目具有Bootstrap 4,所以我需要库,目前迁移到Bootstrap 5非常复杂。
我从app.js导入jQuery:
import 'jquery';
import $ from 'jquery';
window.$ = window.jQuery = $;
import 'jquery-ui/ui/widgets/datepicker.js';
从软件包中安装的NPM的版本。JSON如下:
"dependencies": {
"jquery": "^3.5.1",
"jquery-ui": "^1.12.1"
}
我能做什么?也许尝试一些不同的jQuery版本,但我不确定哪个版本与我的项目兼容。
I did an optimization analysis of my website with Google Lighthouse and one of the "Best Practices" issues is as follows:
Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers.
And the analysis helps you with this documentation.
The problem is with the jQuery [email protected] library, I don't actually use it but that project has Bootstrap 4 so i need the library, migrating to Bootstrap 5 is very complicated at the moment.
I import JQuery from app.js like this:
import 'jquery';
import $ from 'jquery';
window.$ = window.jQuery = $;
import 'jquery-ui/ui/widgets/datepicker.js';
The version installed with npm from the package.json is as follows:
"dependencies": {
"jquery": "^3.5.1",
"jquery-ui": "^1.12.1"
}
What I can do? Maybe try some different JQuery version, but I'm not sure which one is compatible with my project.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
尝试将3.6.0版添加
到您的代码头中,然后再次运行灯塔报告。
try adding the version 3.6.0 as shown below
to your code head and run the lighthouse report again.
建议
以查看数据库,jQuery UI有许多问题 - 但所有报告的问题均适用于1.13.0以下的版本。
因此,只需升级到1.13.0或以后。他们使用语义版本操作,因此从.12更改为.13不应引入任何向后兼容的更改。
The recommendation is to
Looking at the linked vulnerability database, there are a number of issues with jQuery UI - but all of the reported issues are for versions below 1.13.0.
So, just upgrade to 1.13.0 or later. They use semantic versioning, so changing from .12 to .13 should not introduce any backwards-incompatible changes.