Hi Jacopo,
The reasons I kept it are
* Being only used by theGantt chart in project appli, it's OOTB no longer a
possible security issue.
* It allows OFBiz users to easily use it if they want and are totally safe
from external attacks.
* It's possible that later Dependabot will be able to propose a solution,
though I doubt because jsgantt-improved is really abandoned.
Why would you want to remove it?
Jacques
Le 19/03/2026 à 09:06, Jacopo Cappellato a écrit :
Hi Jacques,
In order to resolve this we should also remove the dependency on
jsgantt-improved from
https://github.com/apache/ofbiz-plugins/blob/trunk/projectmgr/webapp/projectmgr/package.json
Jacopo
On Wed, Jan 21, 2026 at 11:19 AM<[email protected]> wrote:
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release24.09
in repositoryhttps://gitbox.apache.org/repos/asf/ofbiz-plugins.git
The following commit(s) were added to refs/heads/release24.09 by this push:
new 3ebc51f37 Fixed: jsgantt-improved bloks qs.js update (OFBIZ-13339)
3ebc51f37 is described below
commit 3ebc51f37682ba0d01a3e33eacc396410f249968
Author: Jacques Le Roux<[email protected]>
AuthorDate: Wed Jan 21 11:18:01 2026 +0100
Fixed: jsgantt-improved bloks qs.js update (OFBIZ-13339)
Because of this vulnerability we are temporarily disabling the
projectmgr/control/ganttChart feature
---
projectmgr/template/project/GanttChart.ftl | 25
+++++++++++++++++++++--
projectmgr/webapp/projectmgr/static/projectmgr.js | 2 +-
projectmgr/widget/ProjectScreens.xml | 4 ++--
3 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/projectmgr/template/project/GanttChart.ftl
b/projectmgr/template/project/GanttChart.ftl
index 2fc1929dd..f5567cb36 100644
--- a/projectmgr/template/project/GanttChart.ftl
+++ b/projectmgr/template/project/GanttChart.ftl
@@ -22,8 +22,29 @@ under the License.
<input id="ofbizGantItemsJson" type="hidden"
value="${phaseTaskListJson}"/>
-<#-- Commented out because qs.js has a transitive issue due to
request.js. Seehttps://issues.apache.org/jira/browse/OFBIZ-13339 for
details
+<#-- Commented out because qs.js has a transitive vulnerability due to
request.js. Seehttps://issues.apache.org/jira/browse/OFBIZ-13339 for
details
<script type="text/javascript"
src="/projectmgr/node_modules/jsgantt-improved/dist/jsgantt.js"></script>
<script type="text/javascript"
src="/projectmgr/static/projectmgr.js"></script>
-->
-This has for now been Commented out because qs.js has a transitive issue
due to request.js. Seehttps://issues.apache.org/jira/browse/OFBIZ-13339
for details
+This has for now been Commented out because qs.js has a transitive
vulnerability due to request.js.
+<br>
+See <a href="https://issues.apache.org/jira/browse/OFBIZ-13339 for
details">https://issues.apache.org/jira/browse/OFBIZ-13339 for details</a>
+<br><br>
+The latest possible version that can be installed is 6.5.3 because of the
following conflicting dependencies:
+<br>
[email protected] requiresqs@~6.5.2 via a transitive dependency on
[email protected]
+<br>
+No patched version available for qs
+<br>
+The earliest fixed version is 6.14.1.
+<br><br>
+For details see.
+<br>
+<a href="https://github.com/advisories/GHSA-6rw7-vpxm-498p";>
https://github.com/advisories/GHSA-6rw7-vpxm-498p</a>
+<br>
+<a href=" https://github.com/apache/ofbiz-plugins/network/updates/1194761905";>
https://github.com/apache/ofbiz-plugins/network/updates/1194761905</a>
+<br>
+<a href="https://github.com/jsGanttImproved/jsgantt-improved/issues/384";>
https://github.com/jsGanttImproved/jsgantt-improved/issues/384</a>
+<br>
+<br>
+If you feel it's ok with you (e.g. totally secured Internet access, or
rather no access at all which is safer!) you may uncomment and use.
diff --git a/projectmgr/webapp/projectmgr/static/projectmgr.js
b/projectmgr/webapp/projectmgr/static/projectmgr.js
index 48090245e..c64911a68 100644
--- a/projectmgr/webapp/projectmgr/static/projectmgr.js
+++ b/projectmgr/webapp/projectmgr/static/projectmgr.js
@@ -17,7 +17,7 @@
* under the License.
*/
-/* - Commented out because qs.js has a transitive issue due to
request.js. Seehttps://issues.apache.org/jira/browse/OFBIZ-13339 for
details
+/* - Commented out because qs.js has a transitive vulnerabily due to
request.js. Seehttps://issues.apache.org/jira/browse/OFBIZ-13339 for
details
const ganttItemsJson =
document.getElementById("ofbizGantItemsJson").value;
const ganttItems = JSON.parse(ganttItemsJson);
diff --git a/projectmgr/widget/ProjectScreens.xml
b/projectmgr/widget/ProjectScreens.xml
index 5a8f5d1bb..c1f7649d1 100644
--- a/projectmgr/widget/ProjectScreens.xml
+++ b/projectmgr/widget/ProjectScreens.xml
@@ -424,7 +424,7 @@ under the License.
<actions>
<set field="titleProperty" value="ProjectMgrGanttChart"/>
<set field="tabButtonItem" value="ganttchart"/>
- <!-- Commented out because qs.js has a transitive issue
due to request.js. Seehttps://issues.apache.org/jira/browse/OFBIZ-13339
for details
+ <!-- Commented out because qs.js has a transitive
vulnerabily due to request.js. See
https://issues.apache.org/jira/browse/OFBIZ-13339 for details
<set field="layoutSettings.styleSheets[]"
value="/projectmgr/node_modules/jsgantt-improved/dist/jsgantt.css"
global="true"/>
-->
<set field="layoutSettings.styleSheets[]"
value="/projectmgr/static/projectmgr.css" global="true"/>
@@ -982,7 +982,7 @@ under the License.
<section>
<actions>
<property-map resource="ProjectMgrUiLabels"
map-name="uiLabelMap" global="true"/>
- <!-- - Commented out because qs.js has a transitive issue
due to request.js. Seehttps://issues.apache.org/jira/browse/OFBIZ-13339
for details
+ <!-- - Commented out because qs.js has a transitive
vulnerabily due to request.js. See
https://issues.apache.org/jira/browse/OFBIZ-13339 for details
<set field="layoutSettings.styleSheets[]"
value="/projectmgr/node_modules/jsgantt-improved/dist/jsgantt.css"
global="true"/>
-->
<set field="layoutSettings.styleSheets[]"
value="/projectmgr/static/projectmgr.css" global="true"/>
