Outdated jQuery version (3.3.1) in Autopilot Manager package

[maxim366]

Dear Olivier,

Thank you for your contribution to the IT community. We have been using the Autopilot Manager solution for a long time and it has been very helpful!

Our security team reported that the package includes jQuery 3.3.1, which has known vulnerabilities. The affected file is: https://ourwebsite/lib/jquery/dist/jquery.min.js

Since this solution is configured to update automatically from your repository by design, the fix needs to be applied on your side.

Vulnerability details

The version currently bundled (jQuery 3.3.1) includes multiple known security issues:

CVE-2020-11022 (Cross-Site Scripting in .html() / .append() methods) Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11022

CVE-2020-11023 (Cross-Site Scripting in elements) Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11023

CVE-2019-11358 (Prototype Pollution vulnerability) Proof-of-Concept: https://www.exploit-db.com/exploits/52141

General jQuery security advisories: GitHub Advisories: https://github.com/jquery/jquery/security/advisories

Snyk Security report for jQuery 3.3.1: https://security.snyk.io/package/npm/jquery/3.3.1

According to Snyk, the latest safe version is jQuery 3.7.1: https://security.snyk.io/package/npm/jquery

Request

Could you please confirm if updating to the latest stable version (currently 3.7.1) is planned as part of an upcoming release? Since the package is pulled directly from your repository, we cannot resolve this issue on our side without the update being applied upstream.

Contact

If you need any information/collaboration, you are more than welcome to contact me here on GitHub or email [email protected].

Thank you very much in advance for your support.