We are using Azure Dev Ops pipelines and Github Advanced Security to scan our repositories for security risks.
ESLint is flagging violations for two rules, @microsoft/sdl/no-html-method and @microsoft/sdl/no-inner-html. The problem is that these flags are in jquery, jquery validation, and bootstrap – all very standard libraries which are up-to-date in our code base.
Can this be right? If this is really a "high" severity security vulnerability, then why haven’t these issues been fixed? Is there a way to disable these rules in Github Advanced Security? Can Github Advanced Security’s architects really be expecting people to just not use those libraries?
We’ve updated the library versions, all other package versions, it is clear this is an issue with JQuery’s own .html() calls internally, and other librarys.
You need to sign in to view this answers
