It took me a while to find this thread and I want to be sure not to loose it again.
Pertanate because it is wonderful for identifying the qualities of the Hugo Themes available.
Including tag search for and bootstrap and jquery.
Not sure if its totally up to date but Thanks @pointyfar !
Not to be the one splitting hair: jquery and bootstrap do not contain vulnerabilities. They use libraries that contain vulnerabilities. If you don’t build your own jquery and bootstrap from these repositories then you are “safe”. Even IF you are building your own jquery it should be safe to use as the vulnerable features are not in connection with the built file but with file access and “stuff going on while building”. Vulnerability does not mean you run it and they ask for your credit card next time you visit your site.
If you build your own jquery and bootstrap from these repositories then you are able to “fix” these issues by upgrading to “safe” versions of the dependencies as they write in those security advisories. Current bootstrap v3 version is 3.3.7, current jquery 2 version is 2.2.4
However: jQuery 3 (the next version) was published in June 2016. Two thousand sixteen. When is a theme regarded outdated if it uses old libraries? I think there should be a common-sense regulation for featured themes. When in doubt (or when you don’t trust the theme) then better use another one.
A theme is regarded unmaintained and removed from the Hugo Themes showcase when its demo does not build with the latest Hugo and the theme author fails to respond to our guidance (typically we give a one month time frame for author response).
We do not take third party library versions into account for removing themes from the list.
With the above said, common sense should be exercised. And I have -in at least one occasion- encouraged a theme author to update a third party library version because what was used in his theme was a few years old.
I am not totally up to date on the latest web technologies so I did not really adequately consider underlying details. I did not want any 3rd party dependencies, which may be a contributor to the themes security concerns.
I actually tried replacing jquery.min.js which lists v2.1.4 with version 3.4.1 this introduced an error
Uncaught TypeError: r.getClientRects is not a function
at k.fn.init.offset (jquery.min.js:2)
at e._detectViewport (jquery.stellar.min.js:2)
May not be worth the effort to re-develop this theme at my level of understanding. Especially when I am not sure whether this theme uses Jquery or bootstrap features which would create a vulnerability for my site.
I thought I had chosen an up to date theme in Icon but discovered some “probable issues” related to Jquery and Bootstrap. I have implemented this theme anyway for now and will be searching for a possible replacement.
This is disappointing for me since I did spend time customizing the site within the capabilities of the theme chosen.
My goal was to not have to get into theme development by having to reverse engineer this theme to bring it into reasonable compliance. I will reach out to the Icon’s Author to see if the theme needs to be updated.
From the Hugo-Icon Theme Author Steve Lane:
Thanks for pointing these out. Unfortunately, I don’t have the time to update these versions, as I think that moving to a recent bootstrap will break things - have you investigated? If you find that you can update the versions successfully, I’d appreciate a pull request.
I do have github security on the repo which doesn’t show any issues…