Hugo Theme Jquery and Bootstrap Vulnerabilities

I discovered the versions of jquery (2.1.4) and bootstrap (v.3.3.5) for the Hugo Theme I am currently working with ( Icon ) is outdated and contains identified vulnerabilities.

Regardless of the specific Hugo Theme I happen to be using, what is the recommended course of action?

I do not fully understand all the Themes intricacies, so I don’t know if the vulnerabilities apply to my situation.
I am concerned with putting a site online which may become compromised.

Any pointers, suggestions or links are appreciated!

Out of my own time I have removed a few themes from the themes repo that were unmaintained and contained vulnerable versions of jQuery.

However currently there is no policy about this.

Also it would be a task of gargantuan proportions running around to notify the various theme authors about the need to upgrade their jQuery versions.

My advice to you would be to use the latest Bootstrap that ditched jQuery or if you really need some plugin try to update to the latest version of jQuery.

jQuery was very useful once upon a time. It’s not really needed anymore so stop using it if you can.

1 Like

Also if you think that there should be a change in Hugo Themes policy to disallow themes that contain jQuery, then the place to discuss this properly is at:

1 Like

It took me a while to find this thread and I want to be sure not to loose it again.
Pertanate because it is wonderful for identifying the qualities of the Hugo Themes available.
Including tag search for and bootstrap and jquery.
Not sure if its totally up to date but Thanks @pointyfar !

Not to be the one splitting hair: jquery and bootstrap do not contain vulnerabilities. They use libraries that contain vulnerabilities. If you don’t build your own jquery and bootstrap from these repositories then you are “safe”. Even IF you are building your own jquery it should be safe to use as the vulnerable features are not in connection with the built file but with file access and “stuff going on while building”. Vulnerability does not mean you run it and they ask for your credit card next time you visit your site.

If you build your own jquery and bootstrap from these repositories then you are able to “fix” these issues by upgrading to “safe” versions of the dependencies as they write in those security advisories. Current bootstrap v3 version is 3.3.7, current jquery 2 version is 2.2.4

However: jQuery 3 (the next version) was published in June 2016. Two thousand sixteen. When is a theme regarded outdated if it uses old libraries? I think there should be a common-sense regulation for featured themes. When in doubt (or when you don’t trust the theme) then better use another one.

1 Like

Just posting CVE I found for reference. Not sure if they are relevant and make the theme unsafe.

A theme is regarded unmaintained and removed from the Hugo Themes showcase when its demo does not build with the latest Hugo and the theme author fails to respond to our guidance (typically we give a one month time frame for author response).

We do not take third party library versions into account for removing themes from the list.

With the above said, common sense should be exercised. And I have -in at least one occasion- encouraged a theme author to update a third party library version because what was used in his theme was a few years old.

I’ll open a new topic with that but I am having an idea via Github organizations.

In my case I chose this theme because it looked good to me, had a recent date listed on the Hugo Themes Site “Updated 2019-03-06”, was responsive, and the author has a professional web presence and listed this theme in their body of work.

I am not totally up to date on the latest web technologies so I did not really adequately consider underlying details. I did not want any 3rd party dependencies, which may be a contributor to the themes security concerns.

P.S. If you like a theme, I wouldn’t let a vulnerability stop you. You can override the problem file with an upgraded one using Hugo’s lookup order.

1 Like

I actually tried replacing jquery.min.js which lists v2.1.4 with version 3.4.1 this introduced an error

Uncaught TypeError: r.getClientRects is not a function
    at k.fn.init.offset (jquery.min.js:2)
    at e._detectViewport (jquery.stellar.min.js:2)

May not be worth the effort to re-develop this theme at my level of understanding. Especially when I am not sure whether this theme uses Jquery or bootstrap features which would create a vulnerability for my site.

Very interesting topic for sure.

replace it with the latest 2.1.X version, not 3

As you pointed out regarding Jquery.

Makes your other comment make more sense to me…

Yes, they hide old releases. You can find them here:

The one you want is:


That worked without error. Does that mean I should not be concerned anymore, even though the 2.x version is not being patched?
I think I still have bootstrap 3.3.5 which needs to be updated.

If I choose another Hugo Theme, I will have to be careful to choose one without these concerns. is the place for the old bootstrap.

If you have your repository on Github then enable the automatic security check for the repo. It will tell you when to worry :slight_smile: I don’t know if Gitlab and such have that feature. They probably have.

Current Bootstrap v3 is actually 3.4.1 (
jQuery 1.x and 2.x are unsupported - jQuery 3.4.x is the only secure version.

There are breaking changes between 3.3 and 3.4, so the latest supported version of Bootstrap 3.3 is the one above mentioned. That is why offers 3.3 downloads as well as 3.4 downloads.

Thanks for everyone’s help.

I thought I had chosen an up to date theme in Icon but discovered some “probable issues” related to Jquery and Bootstrap. I have implemented this theme anyway for now and will be searching for a possible replacement.

This is disappointing for me since I did spend time customizing the site within the capabilities of the theme chosen.

My goal was to not have to get into theme development by having to reverse engineer this theme to bring it into reasonable compliance. I will reach out to the Icon’s Author to see if the theme needs to be updated.

From the Hugo-Icon Theme Author Steve Lane:
Thanks for pointing these out. Unfortunately, I don’t have the time to update these versions, as I think that moving to a recent bootstrap will break things - have you investigated? If you find that you can update the versions successfully, I’d appreciate a pull request.

I do have github security on the repo which doesn’t show any issues…