[jira] [Commented] (OFBIZ-13339) jsgantt-improved bloks qs.js update

Mon, 13 Apr 2026 08:19:05 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-13339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18073236#comment-18073236
 ] 

ASF subversion and git services commented on OFBIZ-13339:
---------------------------------------------------------

Commit c7d82dd26980e5f693c45826c689633be00543e0 in ofbiz-plugins's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=c7d82dd26 ]

Revert "Fixed: jsgantt-improved bloks qs.js update (OFBIZ-13339)"

This reverts commit aae7fb0ea65c2259e52049e2fcfe941d25797188.

Because,as Jacopo mentioned on dev ML, the jsgantt-improved today fix is not
yet released in npm


> jsgantt-improved bloks qs.js update
> -----------------------------------
>
>                 Key: OFBIZ-13339
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13339
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: projectmgr
>    Affects Versions: 24.09.05
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 24.09.06
>
>
> That's a problem because current qs.js version used by OFBiz is vulnerable to 
> DDOS attack. jsgantt-improved had not been updated for 3 years at least.
> This was reported by [Dependabot|https://github.com/dependabot] at 
> [https://github.com/apache/ofbiz-plugins/network/updates/1194761905]
> I copy it here because it will possibly be lost and I'm not sure everybody 
> has access.
> {quote}Dependabot cannot update qs to a non-vulnerable version
> The latest possible version that can be installed is 6.5.3 because of the 
> following conflicting dependencies:
> [email protected] requires qs@~6.5.2 via a transitive dependency on 
> [email protected]
> No patched version available for qs
> The earliest fixed version is 6.14.1.
> {quote}
>  
> Dependabot offers a hand made solution:
> [https://github.com/advisories/GHSA-6rw7-vpxm-498p]
> The security team agreed about disabling jsgantt-improved. With information 
> for OFBiz users to allow them to enable it, if they are safe about related 
> DDOS attacks, e.g. totally secured Internet access, or preferably no access 
> at all (it's DDOS) !
> I have created an issue for jsgantt-improved team at 
> [https://github.com/jsGanttImproved/jsgantt-improved/issues/384]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to