Comment 12 for bug 1955556

Balazs Gibizer: It's a grey area, but it's technically correct to say that we don't mandate use of vulnerable jQuery. Our global requirements and constraints lists indicate the upstream versions we test with and know to work, which yes are vulnerable versions. OpenStack expects security vulnerabilities in its dependencies to be patched downstream in most cases (GNU/Linux distributions often backport security fixes to older versions of libraries).

If Horizon developers have time to get it working and tested with newer libraries rather than putting the dependency patching burden on downstream consumers, then that would be great, of course, but it's unlikely to be a backportable solution in Horizon so not something we're going to be able to issue a security advisory for (hence the "won't fix" state for the advisory task). Hopefully that makes sense?