Comment 2 for bug 1955556

Reviewing the various links included in the bug description, I expect the one which may cause the greatest challenge to address is CVE-2015-9251 for jQuery, as they rolled back the 1.x fix for backward incompatibilities and then released it as 3.0.0 instead, but Horizon's requirements include an upper bound of <2 at the moment. However, reading the description and discussion of that vulnerability, the jQuery maintainers seemed to consider it low severity and impractical to exploit in most applications, requiring something like a `$.get(untrusted_url)` in order to reach the bug at all. It's not readily apparent that ever happens the way jQuery is used in Horizon, so likely irrelevant, but the discussion also includes code we could apply upstream as a workaround if we're unable to make Horizon work with jQuery 3.x: https://github.com/jquery/jquery/issues/2432#issuecomment-403761229