update jquery to 3.5.1

[andresperezl]

Some Open Source vulnerabilities scanners will mark golang.org/x/tools as vulnerable because of the versions of jquery. Even if the vulnerable parts are not used, this can prevent some organizations of integrating golang.org/x/tools in their code because of it.

• CVE-2012-6708
• CVE-2015-9251
• CVE-2020-11023
• CVE-2020-11022
• CVE-2019-11358

[gopherbot]

This PR (HEAD: 8e38f85) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/tools/+/253757 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

[gopherbot]

Message from Gobot Gobot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
A maintainer will review your change and provide feedback. See
https://golang.org/doc/contribute.html#review for more info and tips to get your
patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/253757.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go Bot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
A maintainer will review your change and provide feedback. See
https://golang.org/doc/contribute.html#review for more info and tips to get your
patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/253757.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: 3352ea5) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/tools/+/253757 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

[atkinsonbg]

Can there be some movement on this? We're looking at having to pull the tools package from our code due to this issue.

[edrandall]

I've got the following, flagged against: /go/pkg/mod/golang.org/x/[email protected]/cmd/present/static/jquery-ui.js in image: golang:1.17.7

• CVE-2016-7103
• CVE-2021-41182
• CVE-2021-41183
• CVE-2021-41184

[ademidoff]

Hey guys, what would it take to merge this PR? The vulnerability scanners go wild on jQuery prior 3.5.1 so it'd be great to fix it 👍

[gmonni]

hey guys, do we have any ETA on merging this PR? Vulnerability scanners are flagging this dependency as a major issue

[bcmills]

The imported Gerrit change (https://go.dev/cl/253757) was abandoned. It's not clear to me why GopherBot did not also close this PR.

If upgrading jQuery is needed for security reasons, I suggest reporting those reasons per https://go.dev/security/policy, and/or updating the discussion on golang/go#39535.