[jira] [Commented] (OFBIZ-13339) jsgantt-improved bloks qs.js update

Fri, 20 Mar 2026 01:44:08 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-13339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18066986#comment-18066986
 ] 

ASF subversion and git services commented on OFBIZ-13339:
---------------------------------------------------------

Commit cd86d810620894035850e727c5ea217a915ea42d in ofbiz-plugins's branch 
refs/heads/release24.09 from Jacopo Cappellato
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=cd86d8106 ]

Fixed: Remove the Gantt feature from projectmgr (OFBIZ-13339)

The feature was based on a deprecated and no more maintained external dependency

(cherry picked from commit 297f34ee331dc1bf2d49e0afef9ac6b73e442ff3)


> jsgantt-improved bloks qs.js update
> -----------------------------------
>
>                 Key: OFBIZ-13339
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13339
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: projectmgr
>    Affects Versions: 24.09.05
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 24.09.05
>
>
> That's a problem because current qs.js version used by OFBiz is vulnerable to 
> DDOS attack. jsgantt-improved had not been updated for 3 years at least.
> This was reported by [Dependabot|https://github.com/dependabot] at 
> [https://github.com/apache/ofbiz-plugins/network/updates/1194761905]
> I copy it here because it will possibly be lost and I'm not sure everybody 
> has access.
> {quote}Dependabot cannot update qs to a non-vulnerable version
> The latest possible version that can be installed is 6.5.3 because of the 
> following conflicting dependencies:
> [email protected] requires qs@~6.5.2 via a transitive dependency on 
> [email protected]
> No patched version available for qs
> The earliest fixed version is 6.14.1.
> {quote}
>  
> Dependabot offers a hand made solution:
> [https://github.com/advisories/GHSA-6rw7-vpxm-498p]
> The security team agreed about disabling jsgantt-improved. With information 
> for OFBiz users to allow them to enable it, if they are safe about related 
> DDOS attacks, e.g. totally secured Internet access, or preferably no access 
> at all (it's DDOS) !
> I have created an issue for jsgantt-improved team at 
> [https://github.com/jsGanttImproved/jsgantt-improved/issues/384]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to