Security : vulnerability on jquery

[DoodahProductions]

Version of jquery bellow 3.0.0 are vulnerables to XSS injection.
The index.html does require a lower version of jquery making the module vulnerable.

ID : CVE-2015-9251
CVSS Score : 6.1
Description : jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Origin : jmespath dependency

[isabellewithers]

@jamesls - I know this package isn't actively maintained, but any update on this? I'd be happy to make the change myself if you could grant contributor access.

[darrenmothersele]

jQuery isn't used. No action is needed here.

[jackton1]

@darrenmothersele There's an index.html which seems to be the source of the vulnerability warning.

index.html

[jakebrown58]

This is still an issue. It doesn't get flagged in NPM - but it gets flagged in security scans. And this library is a dependency of the AWS-SDK - so it's challenging to work around.

Does this index.html even need to be in the npm package? It's not part of source.

[xevenheaven]

I'm facing the same issue. @jamesls, could we expedite a fix for this please? I believe #62 should help.

[jamesls]

#62 has been merged and a 0.16.0 release has been published with this fix.