Vulnerabilities with Foundry

after switching to Foundry, a webdev check signal some vulnerabilities that worries me:

[Bootstrap@4.0.0] 3 Medium

[jQuery@2.2.4] 4 Medium

[GreenSock JS@1.19.0] 1 High

Is this serious and is there a fix?

PJ

You may get a faster response here

Good morning @heretix

The items you’ve outlined aren’t as big of a concern as you might think, IMO, though without seeing the specific list(s) I can’t comment on them in detail. If you’d like to email me with the full list I’d be glad to look at them (adam at elixirgraphics dot com). That said I’ll touch on the three items you mentioned below:

Bootstrap
The Bootstrap version is something that will be addressed with a future update when we move to Bootstrap v5. This isn’t something that will be instantaneous though. Foundry is built on a one-off version of Bootstrap currently, so this is something that will take quite some time and a HUGE amount of work. That said I don’t believe you should see any problems here honestly. I’ve seen a very small list of vulnerabilities for v4 and one of them doesn’t relate to Foundry at all.

jQuery
This is a complicated one. Some of the stacks still require older versions of jQuery and will not work with newer versions. There’s no getting around it unfortunately. I am looking to move away from jQuery for Foundry in the future however. There may be situations where it is required for something, and if that is the case a newer version of jQuery will be used. @Isaiah wrote a good post regarding jQuery and its complicated relationship with Stacks here, on a thread very similar to your own:

GreenSock
This is an update I already have in the pipeline for Navigation Bar Pro, which I’m guessing is the stack you’re using that contains this library. Be on the look out for it in the more near future.

3 Likes

Thanks Adam, I am happy with Foundry, and not excessively worried, after uploading the site I ran it on webdev or lighthouse, as i find it usefull to improve the site speed or seo or accessibility.
the highlighting of vulnerabilities, to me, justified a query, here is what the report says:

Includes front-end JavaScript libraries with known security vulnerabilities 8 vulnerabilities detected
Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more.
Library Version
Vulnerability Count
Highest Severity
Bootstrap@4.0.0
3
Medium
jQuery@2.2.4
4
Medium
GreenSock JS@1.19.0
1
High
Ensure CSP is effective against XSS attacks
A strong Content Security Policy (CSP) significantly reduces the risk of cross-site scripting (XSS) attacks. Learn more
Description
Directive
Severity
No CSP found in enforcement mode

Thanks for your answer, and keep up the good work

Regards,

PJ