fix: bump jquery-ui to v1.13.2 to fix multiple CVEs #2477
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cderv
reviewed
Apr 21, 2023
There was a problem hiding this comment.
Thanks a lot.
I left a comment. I wonder if we should have exactly the same component.
Otherwise, I was wondering if we should sync with the version in shiny. What do you think ?
I did compare with this script executed on your branch
# This script aims to update and sync jquery-ui dependency with the one in shiny
rmd <- "inst/rmd/h/jqueryui/"
shiny <- "https://github.com/rstudio/shiny/archive/refs/heads/main.zip"
temp_zip <- tempfile(fileext = ".zip")
xfun::download_file(shiny, temp_zip, mode = "wb")
dir.create(temp_shiny <- tempfile("shiny"))
unzip(temp_zip, exdir = temp_shiny)
jqueryui <- file.path(temp_shiny, "shiny-main", "inst", "www", "shared", "jqueryui")
unlink(rmd, recursive = TRUE)
file.copy(jqueryui, dirname(rmd), overwrite = TRUE, recursive = TRUE)
unlink(temp_shiny, recursive = TRUE)
unlink(temp_zip, recursive = TRUE)It seems there are some differences probably due to the components includes.
|
This is the diff between jquery-ui components in shiny and r-markdown: which matches with the description from
However, the conflict between bootstrap-datepicker and jquery-ui datepicker was resolved in rstudio/shiny#1374, which is why I guess shiny includes the datepicker from jquery-ui again. |
|
@cderv I've updated the PR and pulled in the |
cderv
reviewed
May 23, 2023
cderv
approved these changes
May 23, 2023
jonathan-g
added a commit
to jonathan-g/rmarkdown
that referenced
this pull request
Aug 16, 2023
* rstudio/main: start the next version CRAN release v2.24 shinyrmd: Safer dependency extraction from pre-rendered HTML (rstudio#2500) quote the version number per CRAN's request Add output_format_dependency() (rstudio#2462) file_scope is now correctly merged when creating output_format (rstudio#2488) Correctly run some tests only on CI start the next version CRAN release v2.23 remove broken links suggest cleanrmd for e499bf7 add news comparing version numbers with numbers is no longer allowed: https://bugs.r-project.org/show_bug.cgi?id=18548 `find_external_resources` works with custom format using `theme` (rstudio#2494) start the next version CRAN release v2.22 S3 generic/method consistency Change the code-folding button text from "Code" to "Show" (rstudio#2489) fix: bump jquery-ui to v1.13.2 to fix multiple CVEs (rstudio#2477) detecting external resources needs to consider css argument (rstudio#2486)
jonathan-g
added a commit
to jonathan-g/rmarkdown
that referenced
this pull request
Aug 16, 2023
Merge remote-tracking branch 'rstudio/main' into jg-devel # By Yihui Xie (13) and others # Via Yihui Xie * rstudio/main: start the next version CRAN release v2.24 shinyrmd: Safer dependency extraction from pre-rendered HTML (rstudio#2500) quote the version number per CRAN's request Add output_format_dependency() (rstudio#2462) file_scope is now correctly merged when creating output_format (rstudio#2488) Correctly run some tests only on CI start the next version CRAN release v2.23 remove broken links suggest cleanrmd for e499bf7 add news comparing version numbers with numbers is no longer allowed: https://bugs.r-project.org/show_bug.cgi?id=18548 `find_external_resources` works with custom format using `theme` (rstudio#2494) start the next version CRAN release v2.22 S3 generic/method consistency Change the code-folding button text from "Code" to "Show" (rstudio#2489) fix: bump jquery-ui to v1.13.2 to fix multiple CVEs (rstudio#2477) detecting external resources needs to consider css argument (rstudio#2486) # Conflicts: # DESCRIPTION
jonathan-g
added a commit
to jonathan-g/rmarkdown
that referenced
this pull request
Aug 16, 2023
* jg-devel: (21 commits) Updated NEWS. Patched `merge_output_format_dependency` to ensure that named elements remain in the correct order. start the next version CRAN release v2.24 shinyrmd: Safer dependency extraction from pre-rendered HTML (rstudio#2500) quote the version number per CRAN's request Add output_format_dependency() (rstudio#2462) file_scope is now correctly merged when creating output_format (rstudio#2488) Correctly run some tests only on CI start the next version CRAN release v2.23 remove broken links suggest cleanrmd for e499bf7 add news comparing version numbers with numbers is no longer allowed: https://bugs.r-project.org/show_bug.cgi?id=18548 `find_external_resources` works with custom format using `theme` (rstudio#2494) start the next version CRAN release v2.22 S3 generic/method consistency Change the code-folding button text from "Code" to "Show" (rstudio#2489) fix: bump jquery-ui to v1.13.2 to fix multiple CVEs (rstudio#2477) ...
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Why
#2405