Re: (ofbiz-plugins) branch release24.09 updated: Fixed: jsgantt-improved bloks qs.js update (OFBIZ-13339)

Thu, 19 Mar 2026 08:13:50 -0700 

Hi Jacopo,

Then I'd suggest to completely remove the feature, or to explain to possible 
users to put back jsgantt-improved.
Manually or by reverting the possible futur commit. Then we would need to add 
this information at what already exists in GanttChart.ftl

For now this is what people see when coming to the feature, at eg:
https://demo-trunk.ofbiz.apache.org/projectmgr/control/ganttChart?projectId=9000

------------------------------------------------------------------------------------------------------------------------------------------------------
Project Gantt Chart

This has for now been Commented out because qs.js has a transitive 
vulnerability due to request.js.
See https://issues.apache.org/jira/browse/OFBIZ-13339 for details

The latest possible version that can be installed is 6.5.3 because of the 
following conflicting dependencies:
[email protected] requires qs@~6.5.2 via a transitive dependency on 
[email protected]
No patched version available for qs
The earliest fixed version is 6.14.1.

For details see.
https://github.com/advisories/GHSA-6rw7-vpxm-498p
https://github.com/apache/ofbiz-plugins/network/updates/1194761905
https://github.com/jsGanttImproved/jsgantt-improved/issues/384

If you feel it's ok with you (e.g. totally secured Internet access, or rather 
no access at all which is safer!) you may uncomment and use.

------------------------------------------------------------------------------------------------------------------------------------------------------


https://issues.apache.org/jira/browse/OFBIZ-13339 is related

To be frank, I'd not be against the 1st option.

Jacques

Le 19/03/2026 à 14:09, Jacopo Cappellato a écrit :

On Thu, Mar 19, 2026 at 11:27 AM Jacques Le Roux via dev <
[email protected]> wrote:


[...]
Why would you want to remove it?


Hi Jacques,

My concern is mainly about keeping a dependency that is known to be
vulnerable and abandoned, regardless of its current usage.

Even if it’s not exposed OOTB, it will still be flagged by security tools,
create noise, and may give users the impression that it’s safe to use.
Since it’s unlikely to be fixed upstream, it also adds unnecessary
technical debt.

Given that it’s not essential, I think removing it would be the cleaner and
safer option.

Best regards,
Jacopo

Reply via email to