[
https://issues.apache.org/jira/browse/OFBIZ-13339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18073229#comment-18073229
]
Jacques Le Roux commented on OFBIZ-13339:
-----------------------------------------
It's not as simple as hoped. For some times now we have a warning message from
Dependabot saying:
bq. Node.js 20 actions are deprecated. The following actions are running on
Node.js 20 and may not work as expected: github/dependabot-action@main. Actions
will be forced to run with Node.js 24 by default starting June 2nd, 2026.
Node.js 20 will be removed from the runner on September 16th, 2026. Please
check if updated versions of these actions are available that support Node.js
24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true
environment variable on the runner or in your workflow file. Once Node.js 24
becomes the default, you can temporarily opt out by setting
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see:
https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
And, as Jacopo mentioned on dev ML, I missed that the today fix is not yet
released in npm. So I revert, hoping that soon the fix will be in npm and so we
will be able to check if it's OK with Dependabot
> jsgantt-improved bloks qs.js update
> -----------------------------------
>
> Key: OFBIZ-13339
> URL: https://issues.apache.org/jira/browse/OFBIZ-13339
> Project: OFBiz
> Issue Type: Sub-task
> Components: projectmgr
> Affects Versions: 24.09.05
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 24.09.06
>
>
> That's a problem because current qs.js version used by OFBiz is vulnerable to
> DDOS attack. jsgantt-improved had not been updated for 3 years at least.
> This was reported by [Dependabot|https://github.com/dependabot] at
> [https://github.com/apache/ofbiz-plugins/network/updates/1194761905]
> I copy it here because it will possibly be lost and I'm not sure everybody
> has access.
> {quote}Dependabot cannot update qs to a non-vulnerable version
> The latest possible version that can be installed is 6.5.3 because of the
> following conflicting dependencies:
> [email protected] requires qs@~6.5.2 via a transitive dependency on
> [email protected]
> No patched version available for qs
> The earliest fixed version is 6.14.1.
> {quote}
>
> Dependabot offers a hand made solution:
> [https://github.com/advisories/GHSA-6rw7-vpxm-498p]
> The security team agreed about disabling jsgantt-improved. With information
> for OFBiz users to allow them to enable it, if they are safe about related
> DDOS attacks, e.g. totally secured Internet access, or preferably no access
> at all (it's DDOS) !
> I have created an issue for jsgantt-improved team at
> [https://github.com/jsGanttImproved/jsgantt-improved/issues/384]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
