Metronic 7 jQuery JavaScript Library v3.4.1 vulnerabilities
plugins.bundle.js uses:
jQuery JavaScript Library v3.4.1
https://nvd.nist.gov/vuln/detail/CVE-2020-11022
CVE-2020-11022: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
https://nvd.nist.gov/vuln/detail/CVE-2020-23064
CVE-2020-11023, CVE-2020-23064: passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
How can I update this manually past 3.5.0? I have plugins bundle v 7.0.5
Replies (14)
I have plugins.bundle.js 7.0.5
Thank you for bringing this to our attention. The jQuery JavaScript Library v3.4.1 used in Metronic 7's plugins.bundle.js does have some known vulnerabilities.
To enhance the security of your application, it is advisable to update the jQuery library to a version that has these vulnerabilities patched. Consider upgrading to jQuery 3.5.0 or a later version to address these issues.
Thank you for your vigilance in maintaining the security of your project. If you have any further questions or concerns, feel free to reach out.
can you walk me through step by step on how to do this?
I can't find my copy of metronic 7 and I can only download 8 from themeforest right now? Is possible to build the plugins bundle with jquery 3.5?
when I look at demo for metronic 7 it also still uses jquery 3.4.1 in the plugins bundle so I can't download that one.
To upgrade jQuery to version 3.5.0 in your project's `package.json` file, you can follow these steps:
1. Open your project's tools directory in a code editor.
2. Locate and open the `package.json` file.
3. In the `dependencies` section of your `package.json`, find the existing jQuery dependency and change its version to `3.5.0`. It might look something like this:
"dependencies": {
"jquery": "3.4.1",
// other dependencies...
}Update it to:
"dependencies": {
"jquery": "3.5.0",
// other dependencies...
}4. Save the `package.json` file.
5. Open a terminal or command prompt in your project's directory.
6. Run the following command to update your project's dependencies, including jQuery, to the specified version:
npm update7. Wait for the update process to complete. npm will fetch the latest version of jQuery (3.5.0) and update it in your project.
8. Once the update is complete, verify that jQuery has been successfully updated to version 3.5.0 by checking your `package.json` or by running:
npm list jqueryYou should see jQuery listed with version 3.5.0.
That's it! Make sure to test your application thoroughly to ensure that it works as expected with the updated jQuery version.
Please note that our primary focus and updates are currently directed towards Metronic 8. If you have specific concerns or encounter any difficulties with Metronic 7, please feel free to ask, and we'll be happy to provide guidance and assistance.
I can't find my copy of metronic 7 and I can only download 8 from themeforest right now? Is possible to build the plugins bundle with jquery 3.5?
when I look at demo for metronic 7 it also still uses jquery 3.4.1 in the plugins bundle so I can't download that one.
Can i provide my license so I can get the download of 7 and I can apply the patch please This is urgent.
when I do that I get this error:
PS C:\Users\adgow\Downloads\Metronic 7.0.5\metronic_v7.0.5\theme\html\tools> npm update
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: metronic@7.0.5
npm ERR! Found: bootstrap@4.5.0
npm ERR! node_modules/bootstrap
npm ERR! bootstrap@"4.5.0" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer bootstrap@"^3.1.1" from bootstrap-switch@3.3.4
npm ERR! node_modules/bootstrap-switch
npm ERR! bootstrap-switch@"3.3.4" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR! See C:\Users\adgow\AppData\Local\npm-cache\eresolve-report.txt for a full report.
npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\adgow\AppData\Local\npm-cache\_logs\2023-10-06T17_15_54_708Z-debug-0.log
@faizal can you please build it for me? I have tried and I get a million errors. Do you guys have a docker container I can spin up with the correct env?
What version of node should I use I can't see any specs for it in the package.json.
Hi,
If you need the Metronic v7 source code you can use the below link to download Metronic v7 right away from this link.
Regards
Hi Alex,
Are you able to build it after download v7? Which demo that you need, we will build it for you.
Thanks
hey Faizal. Can you please build v7 demo 1?
Hi Alex,
Here is the download link for demo1
https://drive.google.com/file/d/1YlhUmWh0M7JmrgDqksTpysSvPhz5J6cC/view?usp=share_link
Thanks
Thanks!
