Upgrade the bundled jQuery UI package #1786
Description
The version of jQuery UI bundled in https://github.com/posit-dev/py-shiny/blob/main/shiny/www/shared/jqueryui/jquery-ui.min.js is 1.13.2.
According to Sonatype, this version is vulnerable to prototype pollution (SONATYPE-2024-011918):
The
$.widget()function inwidget.jsdoes not properly check if thenameparameter contains a risky JavaScript accessor such as__proto__orconstructorwhen creating a new widget. An attacker can exploit this vulnerability by providing a craftednameto override the original JavaScript prototype and therefore values of objects used by the application. This may result in arbitrary code execution, data corruption, or application crashes.
This was fixed in jQuery UI 1.14.1: https://jqueryui.com/changelog/1.14.1/#widget-factory.
To be clear, a) I have on idea what shiny uses jQuery UI for, and b) I suspect the probablility that this is exploitable via shiny to be very low. However, it's probably good to keep these dependencies up-to-date anyway.
I'd offer a PR to upgrade jQuery UI, but I think you probably do it via htmlDependencies.R (https://github.com/posit-dev/py-shiny/blob/main/scripts/htmlDependencies.R), and therefore it's just a matter of running that script to get the latest versions? I haven't looked too closely at it. Happy to help in any way.