We provisioned an Umbraco project to a client who did a security scan for the web application. The tool they used complained about the use of JavaScript library with known vulnerability (angular 1.1.5 and bootstrap 3.3.5) that Umbraco uses.
Is there any efforts to use a stable, more secure libraries with the upcoming releases?
Have Umbraco developers applied any patches to current libraries that Umbraco currently uses?
I can't answer for the core team, but bear in mind that the Umbraco backend exists behind a password-protected area, so it's not publicly accessible. So this considerably limits the exposure.
The issue with upgrading is not breaking existing functionality - there are a lot of plugins that use Angular and may risk issues if upgraded. Likewise, latest versions of Bootstrap aren't backwards compatible. It's a huge amount of work to upgrade.
But there are issues around these that are logged:
Use of JavaScript Library with Known Vulnerability
Hi,
We provisioned an Umbraco project to a client who did a security scan for the web application. The tool they used complained about the use of JavaScript library with known vulnerability (angular 1.1.5 and bootstrap 3.3.5) that Umbraco uses.
Is there any efforts to use a stable, more secure libraries with the upcoming releases?
Have Umbraco developers applied any patches to current libraries that Umbraco currently uses?
Best Regards,
Sam
I can't answer for the core team, but bear in mind that the Umbraco backend exists behind a password-protected area, so it's not publicly accessible. So this considerably limits the exposure.
The issue with upgrading is not breaking existing functionality - there are a lot of plugins that use Angular and may risk issues if upgraded. Likewise, latest versions of Bootstrap aren't backwards compatible. It's a huge amount of work to upgrade.
But there are issues around these that are logged:
http://issues.umbraco.org/issue/U4-5576
Thank you Dan, I think your comment makes sense.
is working on a reply...