chore: resolve jQuery devDependency CVE

Update the internal jQuery version (used for tests) to the latest version to resolve a CVE.

As Foundation supports jQuery `>=2.2.0`, the jQuery peer dependency is not changed. PeerDependencies versions in `package.json` should only reflect the actual compatibility with the package, regardless of promotion or "potential" security issue. It's up to the end developer to choose the package version corresponding to its own needs and to the risks comming with its own usage.

diff --git a/package.json b/package.json
index 25ec2ea23f1ada2dbdbeb4fd79549f56ef61cb6d..52b70052eb44ef050ac7bfdf090065daff8471a4 100644 (file)
--- a/package.json
+++ b/package.json
@@ -73,7 +73,7 @@
     "husky": "^1.0.0-rc.2",
     "inquirer": "^6.0.0",
     "is-empty-object": "^1.1.1",
-    "jquery": ">=2.2.0",
+    "jquery": "^3.3.1",
     "js-yaml": "^3.8.4",
     "mocha": "^5.0.5",
     "mocha-headless-chrome": "^2.0.0",

diff --git a/yarn.lock b/yarn.lock
index c9d4114462dab7166357dde3fe0e19aea13bef27..f637358b756a36e207e5b1d6708dd090160f1867 100644 (file)
--- a/yarn.lock
+++ b/yarn.lock
@@ -5205,7 +5205,7 @@ istextorbinary@2.2.1:
     editions "^1.3.3"
     textextensions "2"
 
-jquery@>=1.11, jquery@>=2.2.0:
+jquery@>=1.11, jquery@^3.3.1:
   version "3.3.1"
   resolved "https://registry.yarnpkg.com/jquery/-/jquery-3.3.1.tgz#958ce29e81c9790f31be7792df5d4d95fc57fbca"