`refinerycms-core` depends on a version of `jquery-ui-rails` with XSS vulnerabilities

[n7st]

I'm seeing several dependabot security alerts due to jquery-ui-rails version 6's dependency on jQuery UI v1.12 (e.g. GHSA-gpqq-952q-5327).

These can be fixed by upgrading jquery-ui-rails to v7.0.0.

There's a slight issue with upgrading in that presently, the jquery-ui-rails gem hasn't got any maintainers who can push it to rubygems.

I believe this can be achieved (at least temporarily) using the GitHub repository's v7.0.0 tag.

[n7st]

jquery-ui-rails has a new maintainer who's released version 7.0.0 with the XSS fixes, but it looks like refinerycms-core is locked to version 6.

[uzairahmadkl]

thanks for the posting

[parndt]

thanks all - anybody willing to open a pull request changing which version we're locking to?