Bug 1623115 - Flot depends on seriously insecure and out of date js-jquery1
Summary: Flot depends on seriously insecure and out of date js-jquery1
Alias: None
Product: Fedora
Classification: Fedora
Component: nodejs-flot
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Dominik 'Rathann' Mierzejewski
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-08-28 13:54 UTC by Christopher Tubbs
Modified: 2018-09-10 21:34 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-09-10 21:34:59 UTC
Type: Bug

Attachments (Terms of Use)
0001-Use-jQuery-3-js-jquery.patch (1.37 KB, patch)
2018-08-28 13:54 UTC, Christopher Tubbs
no flags Details | Diff

Description Christopher Tubbs 2018-08-28 13:54:04 UTC
Created attachment 1479262 [details]

Description of problem:
Flot should not depend on js-jquery1; it should depend on js-jquery (version 3). js-jquery1 and js-jquery2 are orphaned, and full of security bugs that are not being maintained upstream.

Version-Release number of selected component (if applicable):

Additional info:
I'm willing to help co-maintain nodejs-flot, since I'm maintaining js-jquery and depend on nodejs-flot for other packages I maintain. I've done a scratch build against js-jquery here: https://koji.fedoraproject.org/koji/taskinfo?taskID=29348250

Attached is a patch for modifying the spec file. I could also do a pull request in src.fedoraproject.org, if that's easier.

I think branches f28, f29, and master (f30) should be patched, but f29 and master (f30) at a minimum.

Comment 1 Christopher Tubbs 2018-09-09 20:00:29 UTC
Ping. This is kinda important, given that js-jquery1 is orphaned, and will be removed from Fedora if it remains so. This will affect not only Flot, but everything that depends on Flot. Please fix.

Comment 2 Dominik 'Rathann' Mierzejewski 2018-09-10 21:34:59 UTC
Fixed, thanks for the patch.

Note You need to log in before you can comment on or make changes to this bug.